[cabfpub] Name Constraints, Auditing and EKU

Brown, Wendy (10421) wendy.brown at pgs.protiviti.com
Mon Apr 22 19:49:49 UTC 2013

I disagree with the statement it is too late to try to stop the proliferation of trying to do technical constraints on CAs using EKU in violation of the intent of RFC 5280.

The FPKI is one large community of PKIs that will opt for publicly disclosed and audited rather than the technical constraints Mozilla is trying to impose because that model doesn't really work with our community and we already require audit of all subordinate CAs.


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Rob Stradling
Sent: Monday, April 22, 2013 3:38 PM
To: Erwann Abalea
Cc: public at cabforum.org
Subject: Re: [cabfpub] Name Constraints, Auditing and EKU

On 22/04/13 15:08, Erwann Abalea wrote:
>> 12. Appendix B(2)G:
>>        "id-kp-OCSPSigning MUST be present"
>> Disagree.  The OCSP Signing trust purpose is not supposed to be 
>> passed down from the Root, and AFAIK there is no way to prevent a 
>> Subordinate CA from issuing delegated OCSP Signing Certificates!  (If 
>> you have evidence to the contrary, please say).
> I think the requirement is really a "id-kp-OCSPSigning MUST NOT be present".
> If CA A issues a certificate to CA B with id-kp-OCSPSigning in the 
> EKU, then CA B has now a valid OCSP responder for certificates issued 
> by CA A; which is certainly NOT something wanted by CA A.


> There are limits to using an extension for something it wasn't 
> designed for... I'm not a fan of "EKU constraints".

I agree that it would be preferable for the PKIX specs to match the reality, but unfortunately that isn't the case here.

Mozilla could've achieved the same "technically constrained" goal by requiring the use of the Netscape Certificate Type extension instead of Extended Key Usage, but they chose EKU because "EKU constraints" are already supported more widely.  Yes, it's arguably a violation of RFC5280, but the momentum behind "EKU constraints" is already too great for that to make any difference IMHO.

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Public mailing list
Public at cabforum.org

More information about the Public mailing list