IETF Logo Mail Archive

[pkix] EKU for intermediate certificates

Koichi Sugimoto <koichi.sugimoto@globalsign.com> Thu, 04 February 2016 13:09 UTC

Return-Path: <koichi.sugimoto@globalsign.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C9341B2EB4 for <pkix@ietfa.amsl.com>; Thu, 4 Feb 2016 05:09:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xZVuGakd3cWb for <pkix@ietfa.amsl.com>; Thu, 4 Feb 2016 05:08:58 -0800 (PST)
Received: from APC01-PU1-obe.outbound.protection.outlook.com (mail-pu1apc01on0114.outbound.protection.outlook.com [104.47.126.114]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CB4F1B2EB3 for <pkix@ietf.org>; Thu, 4 Feb 2016 05:08:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=globalsign.onmicrosoft.com; s=selector1-globalsign-com; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=6BPrpZHcvJD8LnGoYBhBOyMQxZ344rnbr2QTpBx9IUk=; b=myM8DJFsBwyP4xRvBeAIaDHY0iFZLh3IZIS9qs6itU8AlxzxxmBEwbUBbAKE3p4oku6Use5i2SlbzebLOYbiLOETLuEokL4AB4JVftHNrKms4AmzrbAsXOWGOJ2xCt/3D80XiNf8ny7h6nZtOKXfax+zOxnoW1XwM1Fh28pqdyI=
Received: from SG2PR03MB1421.apcprd03.prod.outlook.com (10.169.54.19) by SG2PR03MB1421.apcprd03.prod.outlook.com (10.169.54.19) with Microsoft SMTP Server (TLS) id 15.1.403.16; Thu, 4 Feb 2016 13:08:54 +0000
Received: from SG2PR03MB1421.apcprd03.prod.outlook.com ([10.169.54.19]) by SG2PR03MB1421.apcprd03.prod.outlook.com ([10.169.54.19]) with mapi id 15.01.0403.016; Thu, 4 Feb 2016 13:08:54 +0000
From: Koichi Sugimoto <koichi.sugimoto@globalsign.com>
To: "pkix@ietf.org" <pkix@ietf.org>
Thread-Topic: EKU for intermediate certificates
Thread-Index: AdFe92toDEuIe4uNSYKUG8doE/9nHA==
Date: Thu, 04 Feb 2016 13:08:53 +0000
Message-ID: <SG2PR03MB1421DD0B34034653A9235A099DD10@SG2PR03MB1421.apcprd03.prod.outlook.com>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=globalsign.com;
x-originating-ip: [27.121.42.217]
x-microsoft-exchange-diagnostics: 1; SG2PR03MB1421; 5:/CHqeIXH49Zy6sJNHfXW04FqbPnvMGW3U2snDvXpuakp+ufzEMfff3FS+Lq8+rQXlSCieBFwPNYdjE39nfLVQqadwp/cHJdNT7LhqSmqVTXfyTKaNGkIU0Mf2fefbasTMsfilVmfXI0M75N63gnp2A==; 24:JbCQI09+54zo6jobG4Ov2HG5XEBGuq32C+DaMmz70hVG8jga3s5e3vloSjDF5dguHkv20V2kJ566RYMuz6d0Ic6JNs+RWmi0zNnGRNE3BBc=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:SG2PR03MB1421;
x-ms-office365-filtering-correlation-id: 1e27549d-f62b-4e25-b9b1-08d32d645550
x-microsoft-antispam-prvs: <SG2PR03MB1421EB24D77C4B4E6EE3C3619DD10@SG2PR03MB1421.apcprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046); SRVR:SG2PR03MB1421; BCL:0; PCL:0; RULEID:; SRVR:SG2PR03MB1421;
x-forefront-prvs: 084285FC5C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(5002640100001)(40100003)(2501003)(2351001)(1730700002)(122556002)(10400500002)(450100001)(87936001)(586003)(1096002)(3846002)(6116002)(229853001)(102836003)(1220700001)(66066001)(77096005)(86362001)(15975445007)(2900100001)(19625215002)(11100500001)(16236675004)(33656002)(74316001)(3660700001)(19580395003)(2906002)(3480700001)(189998001)(92566002)(5003600100002)(110136002)(3280700002)(5001960100002)(50986999)(54356999)(107886002)(19300405004)(76576001)(5008740100001)(15398625002); DIR:OUT; SFP:1102; SCL:1; SRVR:SG2PR03MB1421; H:SG2PR03MB1421.apcprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_SG2PR03MB1421DD0B34034653A9235A099DD10SG2PR03MB1421apcp_"
MIME-Version: 1.0
X-OriginatorOrg: globalsign.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Feb 2016 13:08:53.3517 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8fff67c1-8281-4635-b62f-93106cb7a9a8
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SG2PR03MB1421
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/MHwcSWuuzezj4qHuzSmbYeGUbdI>
Subject: [pkix] EKU for intermediate certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2016 13:09:00 -0000

Hello.

I hope the following definition should be changed.

>4.2.1.12.  Extended Key Usage
>
>   This extension indicates one or more purposes for which the certified
>   public key may be used, in addition to or in place of the basic
>   purposes indicated in the key usage extension.  In general, this
>   extension will appear only in end entity certificates.


Now CABF (CA Browser Forum) specified Extended Key Usage as:

P9:
Technically Constrained Subordinate CA Certificate: A Subordinate CA certificate which uses a
combination of Extended Key Usage settings and Name Constraint settings to limit the scope within which the
Subordinate CA Certificate may issue Subscriber or additional Subordinate CA Certificates.

P34:
** Generally Extended Key Usage will only appear within end entity certificates (as highlighted in RFC 5280
(4.2.1.12)), however, Subordinate CAs MAY include the extension to further protect relying parties until the
use of the extension is consistent between Application Software Suppliers whose software is used by a
substantial portion of Relying Parties worldwide.

P38-39:
For a Subordinate CA Certificate to be considered Technically Constrained, the certificate MUST include an
Extended Key Usage (EKU) extension specifying all extended key usages that the Subordinate CA Certificate is
authorized to issue certificates for. The anyExtendedKeyUsage KeyPurposeId MUST NOT appear within this
extension.

Major browsers already support this specification, therefore, the next RFC should reflect this notation, I think.
This notation is very important because we can restrict the range of influence when end-entity certificates are
unwillingly issued by attacks etc.


Please see below:
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.3.2.pdf


Regards,
Koichi Sugimoto.

v2.23.0 | Report a Bug | By Email