<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Bonjour,<div class=""><br class=""></div><div class="">I may have missed something, but since the anyExtendedKeyUsage really means « any usage », it explicitly covers the id-kp-serverAuth usage.</div><div class="">Then, how could an anyExtendedKeyUsage certificate not be in scope right now?</div><div class=""><br class=""></div><div class="">A certificate with no EKU extension being considered in-scope or not is an open question.</div><div class=""><br class=""><div class="">
<div class="">Cordialement,</div><div class="">Erwann Abalea</div><div class=""><br class=""></div><br class="Apple-interchange-newline">

</div>
<br class=""><div><blockquote type="cite" class=""><div class="">Le 20 janv. 2016 à 20:37, Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com" class="">jeremy.rowley@digicert.com</a>> a écrit :</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><meta name="Generator" content="Microsoft Word 15 (filtered medium)" class=""><style class=""><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
span.EmailStyle17
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri",sans-serif;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:1408109458;
        mso-list-type:hybrid;
        mso-list-template-ids:-1786090838 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
        {mso-level-text:"%1\)";
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l0:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l0:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l1
        {mso-list-id:1695573566;
        mso-list-type:hybrid;
        mso-list-template-ids:1951679782 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
        {mso-level-text:"%1\)";
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l1:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l1:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--><div lang="EN-US" link="blue" vlink="purple" class=""><div class="WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D" class="">To move this discussion forward (and resurrect my old proposal), I’d like to have a ballot that defines the scope of the BRs as follows:<o:p class=""></o:p></span></p><p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l1 level1 lfo2"><!--[if !supportLists]--><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D" class=""><span style="mso-list:Ignore" class="">1)<span style="font:7.0pt "Times New Roman"" class="">      </span></span></span><!--[endif]--><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D" class="">Effectively immediately, any certificate chaining to a publicly trusted root containing the serverAuth EKU is considered in scope<o:p class=""></o:p></span></p><p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l1 level1 lfo2"><!--[if !supportLists]--><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D" class=""><span style="mso-list:Ignore" class="">2)<span style="font:7.0pt "Times New Roman"" class="">      </span></span></span><!--[endif]--><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D" class="">Effective Jun 30, 2016, any certificate containing either no EKU or any EKU is in scope. <o:p class=""></o:p></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D" class=""> </span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D" class="">The language change would be to Section 1.1:<o:p class=""></o:p></span></p><p class="MsoNormal">These Requirements <u class="">apply to all Certificates that include id_kp_serverAuth (1.3.6.1.5.5.7.3.1) in the extended key usage extension. Effective June 30, 2016, these Requirements apply to all Certificates that either omit the extended key usage extension or include either id_kp_serverAuth (1.3.6.1.5.5.7.3.1) or anyExtendedKeyUsage (2.5.29.37.0) in the extended key usage extension. <s class="">containing an extended</s></u><s class="">only address Certificates intended to be used for authenticating servers accessible through the Internet</s>. <span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D" class=""><o:p class=""></o:p></span></p><p class="MsoNormal"><a name="_MailEndCompose" class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D" class=""> </span></a></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D" class="">Thoughts?<o:p class=""></o:p></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D" class=""> </span></p><p class="MsoNormal"><b class=""><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class="">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" class=""> Ryan Sleevi [<a href="mailto:sleevi@google.com" class="">mailto:sleevi@google.com</a>] <br class=""><b class="">Sent:</b> Monday, January 18, 2016 1:00 PM<br class=""><b class="">To:</b> Jeremy Rowley<br class=""><b class="">Cc:</b> Rick Andrews; Peter Bowen; Doug Beattie; <a href="mailto:public@cabforum.org" class="">public@cabforum.org</a><br class=""><b class="">Subject:</b> Re: [cabfpub] Misissuance of certificates<o:p class=""></o:p></span></p><p class="MsoNormal"><o:p class=""> </o:p></p><div class=""><p class="MsoNormal"><o:p class=""> </o:p></p><div class=""><p class="MsoNormal"><o:p class=""> </o:p></p><div class=""><p class="MsoNormal">On Mon, Jan 18, 2016 at 11:53 AM, Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com" target="_blank" class="">jeremy.rowley@digicert.com</a>> wrote:<o:p class=""></o:p></p><blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in" class=""><div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D" class="">I don’t recall that as being the case.  I think the discussion stalled because certain national programs used the anyEKU and their national policies conflicted with the BRs.  I know we all agreed serverAuth ought to be included.  The question was on no EKU and anyEKU as they are both technically server certs. </span><o:p class=""></o:p></p></div></blockquote><div class=""><p class="MsoNormal"><o:p class=""> </o:p></p></div><div class=""><p class="MsoNormal">Isn't that what I said? ;)<o:p class=""></o:p></p></div><div class=""><p class="MsoNormal"><o:p class=""> </o:p></p></div><div class=""><p class="MsoNormal">no EKU and anyEKU are both accepted by all browsers as being valid for issuance.<o:p class=""></o:p></p></div><div class=""><p class="MsoNormal">There were some CAs who, as you note, in collaboration with certain national PKI projects, had issued a number of such intermediate certificates, but wished to exclude them from BR compliance.<o:p class=""></o:p></p></div><div class=""><p class="MsoNormal"><o:p class=""> </o:p></p></div><div class=""><p class="MsoNormal">And that's where and how we stalled - CAs that were capable of issuing certificates trusted for TLS authentication wished to be out of scope of issuance.<o:p class=""></o:p></p></div><div class=""><p class="MsoNormal"><o:p class=""> </o:p></p></div><div class=""><p class="MsoNormal">There was the suggestion of who should bear that cost - either the CAs doing this, which would need to either stop participating in such programs or reissue intermediates, or browsers, with the proposal being that all new software only accept serverAuth EKUs. There was, unsurprisingly, also objections about whether the EKUs should chain - that is, in RFC 5280, they apply to the leaf certificate, but as implemented by many libraries, the intermediate's EKU set is expected to be a superset of the leaf EKU set.<o:p class=""></o:p></p></div><div class=""><p class="MsoNormal"><o:p class=""> </o:p></p></div><div class=""><p class="MsoNormal">This discussion reached an impasse because neither party was really willing to budge. In response, both Mozilla and Microsoft implemented root program requirements that made this clear, with Mozilla's policy language being very explicit that anything that can technically cause issuance needs to be in scope of a BR audit, or be technically restricted from such issuance.<o:p class=""></o:p></p></div><div class=""><p class="MsoNormal"><o:p class=""> </o:p></p></div><div class=""><p class="MsoNormal">So now we're having this conversation again, but with clearer policies as to what browsers expect. Does that make this national policies go away? No. But it sets out the expectation of what constitutes publicly trusted, and therefore what constitutes as scope of needing BR audits.<o:p class=""></o:p></p></div></div><p class="MsoNormal"><o:p class=""> </o:p></p></div></div></div></div>_______________________________________________<br class="">Public mailing list<br class=""><a href="mailto:Public@cabforum.org" class="">Public@cabforum.org</a><br class="">https://cabforum.org/mailman/listinfo/public<br class=""></div></blockquote></div><br class=""></div></body></html>