[cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Wed Nov 5 17:28:45 UTC 2014

Gerv, I'm slow on this argument, but I'm trying to figure out why markers in intermediates are important.  

Under the current scheme, it seems the trusted status of the root is what's important, not the status of intermediates.  CAs must get WebTrust/ ETSI audits covering their operations from those roots to be trusted and included in the browser root store.  The audits are supposed to cover all (SSL) operations from that root.  Ultimately, it's a binary yes/no decision on whether to keep the root in the root store based on audit results, plus compliance with other root program requirements.  I suppose rogue intermediates from the roots can also be explicitly untrusted by browsers if needed.

What are the objectives of the proposals to put markers (EKUs or OIDs) in intermediates?  Is it not possible to meet those objectives using the current system of trusted root / audit of all (SSL) operations from that root?

Just curious.

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham
Sent: Monday, November 03, 2014 11:46 AM
Subject: [cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?

Hi everyone,

I wonder if the BRs should say that all non-root certs in a chain issued for SSL server use, which were issued after <date>, should have EKU id-kpServerAuth in them. Date would be, say, six months from now.

This is primarily aimed at intermediates; EE certs all currently have this anyway. It would mean that, over time (years) as intermediates got replaced, we could eventually move to a position where it was entirely clear what certs were intended for Web PKI SSL use and what certs were not.

Currently, any intermediate in the world issued by a publicly-trusted root can issue for SSL, even those intermediates which are not intended for such use. This leads to numerous problems, including the question of whether such intermediates need to be covered by a BR audit. Once this change had filtered through, it would be clear - they would not be.

AIUI, EKU "chaining" (i.e. requiring an EKU to be present all the way up the chain) is not standard, but is implemented in NSS and elsewhere.

I know this is a thing which only pays off in the long term, but I still think it's worth it. Does this make any sense, or have I missed something obvious? :-)

Public mailing list
Public at cabforum.org
<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.

More information about the Public mailing list