[cabfpub] Name Constraints, Auditing and EKU
Erwann Abalea
erwann.abalea at keynectis.com
Mon Apr 22 14:08:48 UTC 2013
Le 22/04/2013 12:12, Rob Stradling a écrit :
> On 27/03/13 13:49, Steve Roylance wrote:
> <snip>
>> I'm looking for a couple of volunteers to whip this into shape. Any takers?
> Hi Steve. As requested, here are some comments on your proposal...
[...]
> 12. Appendix B(2)G:
> "id-kp-OCSPSigning MUST be present"
>
> Disagree. The OCSP Signing trust purpose is not supposed to be passed
> down from the Root, and AFAIK there is no way to prevent a Subordinate
> CA from issuing delegated OCSP Signing Certificates! (If you have
> evidence to the contrary, please say).
I think the requirement is really a "id-kp-OCSPSigning MUST NOT be present".
If CA A issues a certificate to CA B with id-kp-OCSPSigning in the EKU,
then CA B has now a valid OCSP responder for certificates issued by CA
A; which is certainly NOT something wanted by CA A.
There are limits to using an extension for something it wasn't designed
for... I'm not a fan of "EKU constraints".
> 13. Appendix B(2)G:
> "** Extended Key Usage within Subordinate CAs is an exception to
> RFC 5280 that MAY be used to further protect relying parties until
> the Name Constraints extension is supported by Application
> Software Suppliers whose software is used by a substantial portion
> of Relying Parties worldwide."
>
> I agree that we should note that this is "an exception to RFC 5280".
> However, I don't think Mozilla have any plans to stop requiring EKU once
> Name Constraints are supported more widely, since EKU and Name
> Constraints achieve different things.
More information about the Public
mailing list