<div dir="ltr">Jeremy,<div><br></div><div>that language is hardly normative, nor are there normative restrictions on it, nor would it adversely affect the algorithm of RFC 5280 Section 6 (and indeed, if someone was enforcing that CAs not have the EKU, they'd be violating Section 6.1 para3)</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">While the algorithm could be extended to include checks for<br>conformance to the profiles in Sections 4 and 5, this profile<br>RECOMMENDS against including such checks.</blockquote><div><br></div><div>So I'm not sure I fully understand your concern.</div><div> </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Nov 13, 2014 at 12:40 PM, Jeremy.Rowley <span dir="ltr"><<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Doesn't all this ignore 5280's recommendation that "In general, this
extension will appear only in end entity certificates"? Ignoring
this might put browsers at odds with other industry groups also
using PKI.<div><div class="h5"><br>
<br>
<br>
<br>
<div>On 11/5/2014 2:31 PM, Brian Smith
wrote:<br>
</div>
</div></div><blockquote type="cite"><div><div class="h5">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">Gerv,</div>
<div class="gmail_quote"><br>
</div>
<div class="gmail_quote">
<div>Please note that Ryan and I appear to be suggesting
exactly the same thing. And, note that what I'm suggesting
here is exactly the same argument I made for interpreting
EKU in end-entity certificates earlier this year or last
year: a lack of EKU is equivalent to
"anyExtendedKeyUsage". This is what all (AFAICT)
certificate verification code does today.</div>
<div><br>
</div>
</div>
<div class="gmail_quote">Gervase Markham <span dir="ltr"><<a href="mailto:gerv@mozilla.org" target="_blank">gerv@mozilla.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span>> However, I'm assuming that for the CAs for
which the BRs apply, it is<br>
> already the case that all or most of their
intermediates conform to the<br>
> BRs.<br>
<br>
</span>I would hope so. But is it programmatically
detectable that they do? If<br>
so, how? "Publicly audited" is not a determinable
characteristic of an<br>
intermediate.<br>
</blockquote>
<div><br>
</div>
<div>Your proposal has the same issue. In both proposals,
just by looking at the certificate chain, you can tell
whether the intermediate is required to conform to the BRs
or not. The only difference is that the way Ryan and I are
suggesting already matches what Chrome (on Windows, at
lesat), IE, and Firefox are already doing, whereas you are
proposing that all browsers eventually (5-10 years from
now?) be changed to do something new, without any
protection for users until then.</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Also,
your proposal 1) requires a re-issue of intermediates for
all<br>
private PKIs, right? Because they all need to have EKUs in
them?<br>
</blockquote>
<div><br>
</div>
<div>If a CA certificate chains to a root for which the BRs
apply, and that sub-CA doesn't want to be held to the BRs
(ostensibly because they don't intend to issue SSL
certificates), then they would need to have their sub-CA
cert re-issued (and the old one revoked) with an EKU
extension that does not include id-kp-serverAuth or
anyExtendedKeyUsage, unless their certificate already has
such an EKU. That is the only situation in which
re-issuance would be necessary.</div>
<div><br>
</div>
<div>If private CAs don't issue SSL certificates, then it
would be a good idea to replace their CA certificates with
ones that contain an EKU that doesn't have
id-kp-serverAuth or anyExtendedKeyUsage, to follow the
principle of least privilege. But, they wouldn't be
required to make any change, because the BRs don't apply
to them, assuming that they don't chain to a trusted root.
If they do chain to a trusted root then they're not
private and the above paragraph applies.</div>
<div><br>
</div>
<div>Cheers,<br>
</div>
<div>Brian</div>
<div><br>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><span class=""><pre>_______________________________________________
Public mailing list
<a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</span></blockquote>
<br>
</div>
<br>_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
<br></blockquote></div><br></div>