[cabfpub] Ballot 108: Clarifying the scope of the baseline requirements

Ryan Sleevi sleevi at google.com
Mon Aug 12 23:16:33 UTC 2013

This seems unlikely, given that the NSS team is (and in some aspects,
has) implemented similar behaviour to Microsoft's CryptoAPI, in that
they treat the EKU as a form of constraint over the entire chain.

This is reflected in Mozilla's current CA certificate policy relating
to "Technically Constrained" certificates, and has been an important
part of Microsoft's reduction of the threat of compromise to different
Intermediate CAs. The lack of universal application of these EKU
constraints is part of what made the Flame attack viable.


On Mon, Aug 12, 2013 at 4:12 PM, Rob Stradling <rob.stradling at comodo.com> wrote:
> On 08/08/13 09:58, Gervase Markham wrote:
>> On 07/08/13 18:59, Ryan Sleevi wrote:
>>> All we're talking about is what the cert validation library (*not* the
>>> SSL library) will do if it sees a cert with SGC EKUs, but no Server
>>> Auth / Client Auth EKUs.
>>> The cited libraries will all treat the SGC EKUs as equivalent to
>>> Server Auth in that case. As such, certs with SGC EKUs would need to
>>> be in scope, because they'd be technically possible to be used as
>>> server certs.
>> Ah, I see. Thanks for clarifying. That makes sense.
>> Are there certs out there today which have SGC EKUs and _not_ the
>> standard server EKU? What would break if NSS stopped treating the SGC
>> EKU as equivalent to a server EKU?
> Hi Gerv.  The NSS team already tried doing that.  It caused big problems
> with some widely distributed Intermediate CA Certificates.
> https://bugzilla.mozilla.org/show_bug.cgi?id=737802
> How about stopping "treating the SGC EKU as equivalent to a server EKU" for
> end-entity certs only?
>> Gerv
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
> Office Tel: +44.(0)1274.730505
> Office Fax: +44.(0)1274.730909
> www.comodo.com
> COMODO CA Limited, Registered in England No. 04058690
> Registered Office:
>   3rd Floor, 26 Office Village, Exchange Quay,
>   Trafford Road, Salford, Manchester M5 3EQ
> This e-mail and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the sender by
> replying to the e-mail containing this attachment. Replies to this email may
> be monitored by COMODO for operational or business reasons. Whilst every
> endeavour is taken to ensure that e-mails are free from viruses, no
> liability can be accepted and the recipient is requested to use their own
> virus checking software.

More information about the Public mailing list