Re: [Trans] path validation

Rick Andrews <Rick_Andrews@symantec.com> Mon, 29 September 2014 19:01 UTC

Return-Path: <Rick_Andrews@symantec.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 147351A892F for <trans@ietfa.amsl.com>; Mon, 29 Sep 2014 12:01:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.987
X-Spam-Level:
X-Spam-Status: No, score=-4.987 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y82B6BiEVW09 for <trans@ietfa.amsl.com>; Mon, 29 Sep 2014 12:01:11 -0700 (PDT)
Received: from ecl1mtaoutpex02.symantec.com (ecl1mtaoutpex02.symantec.com [166.98.1.210]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 513CF1ACCEC for <trans@ietf.org>; Mon, 29 Sep 2014 12:00:55 -0700 (PDT)
X-AuditID: a66201d2-f79186d0000034ee-7f-5429ac645f57
Received: from tus1smtintpin01.ges.symantec.com (tus1smtintpin01.ges.symantec.com [192.168.215.101]) by ecl1mtaoutpex02.symantec.com (Symantec Brightmail Gateway out) with SMTP id 91.A8.13550.56CA9245; Mon, 29 Sep 2014 19:00:53 +0000 (GMT)
Received: from [155.64.220.138] (helo=TUS1XCHHUBPIN02.SYMC.SYMANTEC.COM) by tus1smtintpin01.ges.symantec.com with esmtp (Exim 4.76) (envelope-from <Rick_Andrews@symantec.com>) id 1XYgBo-000Czn-Os; Mon, 29 Sep 2014 19:00:52 +0000
Received: from TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM ([155.64.220.147]) by TUS1XCHHUBPIN02.SYMC.SYMANTEC.COM ([155.64.220.138]) with mapi; Mon, 29 Sep 2014 12:00:52 -0700
From: Rick Andrews <Rick_Andrews@symantec.com>
To: Santosh Chokhani <schokhani@cygnacom.com>, Stephen Kent <kent@bbn.com>, "trans@ietf.org" <trans@ietf.org>
Date: Mon, 29 Sep 2014 12:00:51 -0700
Thread-Topic: [Trans] path validation
Thread-Index: AQHP2/OIMXe4GkeRfU2twSVntzsYm5wYYbDAgAATuQA=
Message-ID: <544B0DD62A64C1448B2DA253C011414607D1629838@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
References: <54296FB2.1060109@bbn.com> <4262AC0DB9856847A2D00EF817E81139233695@scygexch10.cygnacom.com>
In-Reply-To: <4262AC0DB9856847A2D00EF817E81139233695@scygexch10.cygnacom.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrIIsWRmVeSWpSXmKPExsWyLInRVTd1jWaIwZHnwhYbZzNazLzObbH2 8UUWB2aPqedDPVq3/2L1WLLkJ1MAcxSXTUpqTmZZapG+XQJXRsPxz+wFazgq5k16w9zA2MDe xcjJISFgIjH/7y02CFtM4sK99UA2F4eQwEdGiQUzzzNDOK8YJbbt28wE4axilLjSdBqshU1A T2LL4ytAozg4RATyJTZ9ygMxWQRUJZa9CgYxhQVUJK580QApFgGKbpj5kAXCtpLYsncmM4jN KxAlsfRYI5gtJJApcePECTCbU8BX4uSurUwgNiPQbd9PrQGzmQXEJW49mc8EcbOAxJI955kh bFGJl4//sULUi0rcaV/PCFGvI7Fg9yc2CFtbYtnC11B7BSVOznzCAtErKXFwxQ2WCYzis5Cs mIWkfRaS9llI2hcwsqxilElNzjHMLUnMLy0pSK0wMNIrrsxNBEZbsl5yfu4mRkjEXdrBeP+w 7iFGAQ5GJR7e+as1Q4RYE8uAKg8xSnAwK4nwBi8FCvGmJFZWpRblxxeV5qQWH2KU5mBREudN CeEIERJITyxJzU5NLUgtgskycXBKNTBK/9fg+7Hmw7GXtku418yulHIN/LzKVlLGRcNizv7m dXr1R85Uxy+cIt681c12jrT7XbtjyhXB7Q1bpmS+MZy1VJh35Y7XLG279/HExx42YN2z7esX z0O/PXelTdJ5asnPZmB1g2fSk6ksLpN3beSIyg09IX5TzspXmOe50Xbx0rcq34+vZi5TYinO SDTUYi4qTgQAJiBLKLQCAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/oe3cDfP_SImMNLiEF17-lvNYosA
Subject: Re: [Trans] path validation
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Sep 2014 19:01:17 -0000

Santosh,

I believe that text is there because Microsoft has been advocating the use of EKUs in intermediate certificates to limit their scope, and they've built nested EKU checking into their chain validation code. See http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements-version-2-0.aspx

-Rick

-----Original Message-----
From: Trans [mailto:trans-bounces@ietf.org] On Behalf Of Santosh Chokhani
Sent: Monday, September 29, 2014 11:28 AM
To: Stephen Kent; trans@ietf.org
Subject: Re: [Trans] path validation

<snip>

BTW, I am confused by what the CABF document says in Appendix B item:
"Generally Extended Key Usage will only appear within end entity certificates (as highlighted in RFC 5280 (4.2.1.12)), however, Subordinate CAs MAY include the extension to further protect relying parties until the use of the extension is consistent between Application Software Suppliers whose software is used by a substantial portion of Relying Parties worldwide"