<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Hello,<o:p></o:p></p><p class=MsoNormal>To help facilitate the discussion on EKUs allowed for the various profiles, I downloaded all S/MIME ICAs trusted by Mozilla according to Censys.io and sorted the occurrence of EKUs that appear in the ICAs. I have filtered out ICA certificates that are revoked by CRL.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>E-mail Protection: 414<o:p></o:p></p><p class=MsoNormal>TLS Web Client Authentication: 368<o:p></o:p></p><p class=MsoNormal><a href="http://oid-info.com/get/1.3.6.1.4.1.311.10.3.12">http://oid-info.com/get/1.3.6.1.4.1.311.10.3.12</a>: 82<o:p></o:p></p><p class=MsoNormal>Microsoft Encrypted File System: 38<o:p></o:p></p><p class=MsoNormal><a href="http://oid-info.com/get/1.3.6.1.4.1.311.21.5">http://oid-info.com/get/1.3.6.1.4.1.311.21.5</a>: 29<o:p></o:p></p><p class=MsoNormal>OCSP Signing: 27<o:p></o:p></p><p class=MsoNormal>Microsoft Smartcard Login: 26<o:p></o:p></p><p class=MsoNormal><a href="http://oid-info.com/get/1.3.6.1.4.1.311.21.6">http://oid-info.com/get/1.3.6.1.4.1.311.21.6</a>: 26<o:p></o:p></p><p class=MsoNormal>TLS Web Server Authentication: 20<o:p></o:p></p><p class=MsoNormal><a href="http://oid-info.com/get/1.2.840.113583.1.1.5">http://oid-info.com/get/1.2.840.113583.1.1.5</a>: 13<o:p></o:p></p><p class=MsoNormal>Time Stamping: 12<o:p></o:p></p><p class=MsoNormal><a href="http://oid-info.com/get/1.3.6.1.4.1.311.10.3.4.1">http://oid-info.com/get/1.3.6.1.4.1.311.10.3.4.1</a>: 11<o:p></o:p></p><p class=MsoNormal>Code Signing: 9<o:p></o:p></p><p class=MsoNormal><a href="http://oid-info.com/get/1.3.6.1.4.1.311.20.2.1">http://oid-info.com/get/1.3.6.1.4.1.311.20.2.1</a>: 7<o:p></o:p></p><p class=MsoNormal><a href="http://oid-info.com/get/1.3.6.1.4.1.311.10.3.11">http://oid-info.com/get/1.3.6.1.4.1.311.10.3.11</a>: 6<o:p></o:p></p><p class=MsoNormal><a href="http://oid-info.com/get/1.3.6.1.4.1.311.21.19">http://oid-info.com/get/1.3.6.1.4.1.311.21.19</a>: 6<o:p></o:p></p><p class=MsoNormal><a href="http://oid-info.com/get/1.3.6.1.5.5.7.3.14">http://oid-info.com/get/1.3.6.1.5.5.7.3.14</a>: 4<o:p></o:p></p><p class=MsoNormal>IPSec User: 4<o:p></o:p></p><p class=MsoNormal><a href="http://oid-info.com/get/1.3.6.1.4.1.311.67.1.1">http://oid-info.com/get/1.3.6.1.4.1.311.67.1.1</a>: 3<o:p></o:p></p><p class=MsoNormal><a href="http://oid-info.com/get/2.16.840.1.114027.40.3">http://oid-info.com/get/2.16.840.1.114027.40.3</a>: 1<o:p></o:p></p><p class=MsoNormal><a href="http://oid-info.com/get/2.16.840.114027.40.4">http://oid-info.com/get/2.16.840.114027.40.4</a>: 1<o:p></o:p></p><p class=MsoNormal><a href="http://oid-info.com/get/2.16.840.1.114027.40.11">http://oid-info.com/get/2.16.840.1.114027.40.11</a>: 1<o:p></o:p></p><p class=MsoNormal>ipsec Internet Key Exchange: 1<o:p></o:p></p><p class=MsoNormal><a href="http://oid-info.com/get/1.3.6.1.4.1.29452.1.1">http://oid-info.com/get/1.3.6.1.4.1.29452.1.1</a>: 1<o:p></o:p></p><p class=MsoNormal><a href="http://oid-info.com/get/1.3.6.1.5.5.8.2.2">http://oid-info.com/get/1.3.6.1.5.5.8.2.2</a>: 1<o:p></o:p></p><p class=MsoNormal><a href="http://oid-info.com/get/2.16.840.1.101.3.6.8">http://oid-info.com/get/2.16.840.1.101.3.6.8</a>: 1<o:p></o:p></p><p class=MsoNormal><a href="http://oid-info.com/get/2.16.840.1.101.3.8.7">http://oid-info.com/get/2.16.840.1.101.3.8.7</a>: 1<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Given the wide variety of EKUs included in ICAs today, I believe it makes sense to be permissive for the legacy profile and allow any EKU value to appear alongside emailProtection. For the multi-purpose profile, we may want to permit document signing, client authentication, and other related client-centric functionality (encrypting file system, etc.) but prohibit EKUs that don’t fall into “end-user client machine” usages, such as timeStamping or codeSigning. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>If anyone wants to perform their own investigation, this is the Censys query used to generate the list of ICAs: <o:p></o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>((validation.nss.valid: true and parsed.extensions.extended_key_usage.email_protection: true) AND tags.raw: "trusted") AND parsed.extensions.basic_constraints.is_ca: true<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal>Thanks,<o:p></o:p></p><p class=MsoNormal>Corey<span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>