Re: Absent keyUsage in certificates
"David A. Cooper" <david.cooper@nist.gov> Fri, 10 June 2005 16:05 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA04168 for <pkix-archive@lists.ietf.org>; Fri, 10 Jun 2005 12:05:27 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5AFCf5N019917; Fri, 10 Jun 2005 08:12:41 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j5AFCeLj019916; Fri, 10 Jun 2005 08:12:40 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.nist.gov (rimp1.nist.gov [129.6.16.226]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5AFCeF9019907 for <ietf-pkix@imc.org>; Fri, 10 Jun 2005 08:12:40 -0700 (PDT) (envelope-from david.cooper@nist.gov)
Received: from postmark.nist.gov (pullyou.nist.gov [129.6.16.93]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id j5AFCZ5Q005721 for <ietf-pkix@imc.org>; Fri, 10 Jun 2005 11:12:36 -0400
Received: from [129.6.54.72] (st26.ncsl.nist.gov [129.6.54.72]) by postmark.nist.gov (8.12.5/8.12.5) with ESMTP id j5AFBW6u025506 for <ietf-pkix@imc.org>; Fri, 10 Jun 2005 11:11:32 -0400 (EDT)
Message-ID: <42A9ADAC.2000000@nist.gov>
Date: Fri, 10 Jun 2005 11:11:40 -0400
From: "David A. Cooper" <david.cooper@nist.gov>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040804
X-Accept-Language: en-us, en
MIME-Version: 1.0
CC: pkix <ietf-pkix@imc.org>
Subject: Re: Absent keyUsage in certificates
References: <BF9309599A71984CAC5BAC5ECA62994402948D74@EUR-MSG-11.europe.corp.microsoft.com>
In-Reply-To: <BF9309599A71984CAC5BAC5ECA62994402948D74@EUR-MSG-11.europe.corp.microsoft.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-NIST-MailScanner: Found to be clean
X-NIST-MailScanner-From: david.cooper@nist.gov
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit
I agree as well. I think this proposal has several problems. First, the text states "if a CA forgets to add keyUsage, the certificate usage fails ...." A more accurate statement would be that if the keyUsage extension is absent from the certificate, then no restrictions are imposed on the use of the subject public key except.... We cannot say that the absence of a keyUsage extension equates to "a CA forgets to add keyUsage" and the absence of keyUsage is not a failure. The problem with making a statement about the absence of keyUsage is the "except ...." There are a number of things other than keyUsage that could limit the acceptable uses of the subject public key: 1) If it is a version 3 certificate and the basicConstraints extension is absent or is present with cA=FALSE, then the subject public key cannot be used to verify signatures on certificates. If it is a version 1 or 2 certificate, the subject public key cannot be used to verify signatures on certificates unless it can be verified through out-of-band means that the certificate is a CA certificate. 2) A path length constraint imposed by a certificate earlier in the path may prevent use of the subject public key for verify signatures on certificates. 3) The subject public key cannot be used to verify signatures on CRLs (or at least CRLs that will actually be used to determine the status of a certificate) unless the subject has been authorized to issue CRLs either because the subject is a CA and the CRLs cover its own certificates or the subject is issuing indirect CRLs and has been delegated that authority through the cRLIssuer field in a certificate (section 6.3.3, step (b)(1)). [Note that there is no requirement for the basicConstraints extension to be present to use the key to verify signatures on CRLs.] 4) The use of the subject public key may be limited by the certificatePolicies or extended key usage extensions. 5) The certificate could include a private extension that limits the use of the subject public key. If the keyUsage extension is absent, then it can be used for any purpose, even for verifying signatures on certificates and CRLs, unless that usage is restricted by some other means as described above. Section 4.2.1.12 of 3280bis states "If the [extended key usage] extension is present, then the certificate MUST only be used for one of the purposes indicated." There is already text for keyUsage that implies that the absence of the extension means no restrictions: The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. The usage restriction might be employed when a key that could be used for more than one operation is to be restricted. This implies that the keyUsage extension only needs to be present if there is a desire to restrict the use of the key and so the absence of the extension means the absence of restrictions. Would people prefer for section 4.2.1.3 (Key Usage) to use language closer to the language for extended key usage? Dave P.S. Since I have never seen any suggestion of any attempt to add new bits to the keyUsage extension, I don't think we need to include a warning related to that possibility. Besides, I would assume that a CA that does not include keyUsage really does not intend to limit the usage of the key (unless extended key usage or a similar extension were included). I don't think one would leave keyUsage out of the extension with the intention being to restrict the usage to the nine usages currently specified in the keyUsage extension. Stefan Santesson wrote: >Peter, > >I don't like this text based on principles. > >An absent extension by itself does not provide any specific information >at all. > >An absent extension only means that this information, constraints, >guidance is not present. > >In order for any thing "absent" to have a meaning, there must be a >default definition and in a way I could agree that the default usage for >a cert is unrestricted. But then again, there are so many other ways to >restrict the usage, that it is impossible to generally assume a default >state just considering an absent key usage extension. > >There is also difference in what we require a CA to set and what a >client should accept. Just because a compliant CA must set the cert >signing key in a CA cert does not mean that my clients can't accept a CA >cert that has an absent key usage extension (e.g. accepting a V1 CA >cert). > > > Peter Gutmann wrote: >Sam Roberts <sroberts@certicom.com> writes: > > > >>Also, as you well know, the MUST clauses for certificate generation in PKIX >>are already widely ignored or misintepreted, and we have to deal with those >>certs anyhow. Adding more generation MUST clauses won't help us. >> >> > >Yeah, fair enough. > > > >>Adding text in PKIX that more clearly explains what the bits are for, and >>what it means for the extension to not be present might be helpful. >> >> > >Hmm, I think there should then at least be a note in the security requirements >about the default allow-all behaviour of keyUsage, e.g.: > > If no keyUsage extension is specified, the certificate is assumed to be > valid for any usage except certificate and CRL signing. In other words if a > CA forgets to add the keyUsage, the certificate usage fails open rather than > failing closed. In addition, new and unexpected usages may appear if > additional keyUsage bits are defined after the certificate (with its allow- > all default) is issued. > >That at least warns users/CAs of the consequences of the default allow-all >behaviour. > >Peter. >
- Absent keyUsage in certificates Peter Gutmann
- Re: Absent keyUsage in certificates Sam Roberts
- Re: Absent keyUsage in certificates Peter Gutmann
- RE: Absent keyUsage in certificates David Cross
- RE: Absent keyUsage in certificates Stefan Santesson
- RE: Absent keyUsage in certificates Peter Gutmann
- RE: Absent keyUsage in certificates Stefan Santesson
- Re: Absent keyUsage in certificates David A. Cooper
- Re: Absent keyUsage in certificates Sam Roberts
- Re: Absent keyUsage in certificates Steve Hanna
- RE: Absent keyUsage in certificates David Cross
- Re: Absent keyUsage in certificates Peter Gutmann
- RE: Absent keyUsage in certificates Peter Gutmann
- Re: Absent keyUsage in certificates Sam Roberts
- Re: Absent keyUsage in certificates Peter Gutmann
- RE: Absent keyUsage in certificates Stefan Santesson
- Re: Absent keyUsage in certificates David A. Cooper
- RE: Absent keyUsage in certificates Sharon Boeyen
- Re: Absent keyUsage in certificates Aram Perez
- Re: Absent keyUsage in certificates Michael Ströder