<div dir="ltr">Jeremy,<div><br></div><div>that language is hardly normative, nor are there normative restrictions on it, nor would it adversely affect the algorithm of RFC 5280 Section 6 (and indeed, if someone was enforcing that CAs not have the EKU, they'd be violating Section 6.1 para3)</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">While the algorithm could be extended to include checks for<br>conformance to the profiles in Sections 4 and 5, this profile<br>RECOMMENDS against including such checks.</blockquote><div><br></div><div>So I'm not sure I fully understand your concern.</div><div> </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Nov 13, 2014 at 12:40 PM, Jeremy.Rowley <span dir="ltr"><<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    Doesn't all this ignore 5280's recommendation that "In general, this
    extension will appear only in end entity certificates"? Ignoring
    this might put browsers at odds with other industry groups also
    using PKI.<div><div class="h5"><br>
    <br>
    <br>
    <br>
    <div>On 11/5/2014 2:31 PM, Brian Smith
      wrote:<br>
    </div>
    </div></div><blockquote type="cite"><div><div class="h5">
      
      <div dir="ltr">
        <div class="gmail_extra">
          <div class="gmail_quote">Gerv,</div>
          <div class="gmail_quote"><br>
          </div>
          <div class="gmail_quote">
            <div>Please note that Ryan and I appear to be suggesting
              exactly the same thing. And, note that what I'm suggesting
              here is exactly the same argument I made for interpreting
              EKU in end-entity certificates earlier this year or last
              year: a lack of EKU is equivalent to
              "anyExtendedKeyUsage". This is what all (AFAICT)
              certificate verification code does today.</div>
            <div><br>
            </div>
          </div>
          <div class="gmail_quote">Gervase Markham <span dir="ltr"><<a href="mailto:gerv@mozilla.org" target="_blank">gerv@mozilla.org</a>></span> wrote:<br>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span>> However, I'm assuming that for the CAs for
                which the BRs apply, it is<br>
                > already the case that all or most of their
                intermediates conform to the<br>
                > BRs.<br>
                <br>
              </span>I would hope so. But is it programmatically
              detectable that they do? If<br>
              so, how? "Publicly audited" is not a determinable
              characteristic of an<br>
              intermediate.<br>
            </blockquote>
            <div><br>
            </div>
            <div>Your proposal has the same issue. In both proposals,
              just by looking at the certificate chain, you can tell
              whether the intermediate is required to conform to the BRs
              or not. The only difference is that the way Ryan and I are
              suggesting already matches what Chrome (on Windows, at
              lesat), IE, and Firefox are already doing, whereas you are
              proposing that all browsers eventually (5-10 years from
              now?) be changed to do something new, without any
              protection for users until then.</div>
            <div><br>
            </div>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Also,
              your proposal 1) requires a re-issue of intermediates for
              all<br>
              private PKIs, right? Because they all need to have EKUs in
              them?<br>
            </blockquote>
            <div><br>
            </div>
            <div>If a CA certificate chains to a root for which the BRs
              apply, and that sub-CA doesn't want to be held to the BRs
              (ostensibly because they don't intend to issue SSL
              certificates), then they would need to have their sub-CA
              cert re-issued (and the old one revoked) with an EKU
              extension that does not include id-kp-serverAuth or
              anyExtendedKeyUsage, unless their certificate already has
              such an EKU. That is the only situation in which
              re-issuance would be necessary.</div>
            <div><br>
            </div>
            <div>If private CAs don't issue SSL certificates, then it
              would be a good idea to replace their CA certificates with
              ones that contain an EKU that doesn't have
              id-kp-serverAuth or anyExtendedKeyUsage, to follow the
              principle of least privilege. But, they wouldn't be
              required to make any change, because the BRs don't apply
              to them, assuming that they don't chain to a trusted root.
              If they do chain to a trusted root then they're not
              private and the above paragraph applies.</div>
            <div><br>
            </div>
            <div>Cheers,<br>
            </div>
            <div>Brian</div>
            <div><br>
            </div>
          </div>
        </div>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      </div></div><span class=""><pre>_______________________________________________
Public mailing list
<a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a>
</pre>
    </span></blockquote>
    <br>
  </div>

<br>_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
<br></blockquote></div><br></div>