Re: [TLS] Certificate keyUsage enforcement [whose duty, client's or server's?]

Peter Gutmann <> Thu, 08 November 2018 02:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 60C1D130DE9 for <>; Wed, 7 Nov 2018 18:20:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vXHyEWsKVGhU for <>; Wed, 7 Nov 2018 18:20:03 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 47751130DFD for <>; Wed, 7 Nov 2018 18:20:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1541643602; x=1573179602; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=yI2SPV+2bzT/mFhYiLWrXHeOdAwLWR4g5O21apppjBw=; b=1Yhe8+z11KXReVWDXZdPZ0cEKOx5aq7qWlYqdBR5NhCycOC0p0I8InL7 jDLR0M12pfMCnwUSKMXrfeJF80Cgjbl1qrPKVbQAdonYx6acNg4LmWhDO RaBBq6kvme/hcpJD40S5eVhQMOxmVUS9N+EjgB0XgM19GCkdj4cKWeA0B tQGTWDlqeYr6O97EJS/umimJFeSjYUSnDnoLczGR2HivD5AXa0zZO0LUZ OA5d0R2K0Phulg146OKVUWT8YLhhiQn6d3Ai/zji7OGusVmwxI0U1fJDp NA0NNvED9iMrlgmuoD4hJfKHw2YJ7+VvLTkXy1+sT9DEi9jL14ec0E3wj g==;
X-IronPort-AV: E=Sophos;i="5.54,478,1534766400"; d="scan'208";a="38712086"
X-Ironport-Source: - Outgoing - Outgoing
Received: from (HELO ([]) by with ESMTP/TLS/AES256-SHA; 08 Nov 2018 15:19:56 +1300
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 8 Nov 2018 15:19:56 +1300
Received: from ([]) by ([]) with mapi id 15.00.1395.000; Thu, 8 Nov 2018 15:19:56 +1300
From: Peter Gutmann <>
To: "" <>
Thread-Topic: [TLS] Certificate keyUsage enforcement [whose duty, client's or server's?]
Thread-Index: AQHUdrDkd3KhNEmzUka2XQqjxPCtTKVFJQ2I
Date: Thu, 08 Nov 2018 02:19:56 +0000
Message-ID: <>
References: <> <m236seg80v.fsf@localhost.localdomain> <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [TLS] Certificate keyUsage enforcement [whose duty, client's or server's?]
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 08 Nov 2018 02:20:05 -0000

Viktor Dukhovni <> writes:

>On Wed, Nov 07, 2018 at 03:48:26PM +0100, Martin Rex wrote:
>> There is *ZERO* security problem associated with TLS client allowing
>> a TLS server to do this, but it makes it harder to catch defective
>> CA software and bogus CA issuing practices when clients do not complain
>> here
>The interoperability issues I'm seeing are with self-signed certificates used
>in opportunistic TLS and DANE in SMTP.  The CA is some end-user, who "does not
>know any better", and the question is how pedantic should the client's TLS
>stack be in such a case.

My code, by default, strictly enforces keyUsage [0], so I end up seeing all
the broken certs out there, and it's complete chaos, (DH) keyAgreement set for
RSA certs, every possible key usage (includings ones the algorithm isn't
capable of) set, things like email encryption and SSL server set for CA certs
(extKeyUsage), keyEncipherment for signing keys, digitalSignature for
encryption keys, it's the Rule 34 of PKI (if you can think of it, someone's
put it in an extension).  This includes CA-issued certs, not self-signed ones.
I think a significant chunk of TLS PKI only works because implementations
don't strictly enforce keyUsage.


[0] Which probably wasn't the best default setting.  If you think the public
    web PKI has broken certs, you should see what turns up in the SCADA