[cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?

Moudrick M. Dadashov md at ssc.lt
Thu Nov 13 20:51:01 UTC 2014

It certainly does. I understand folks looking for a programmatic 
discovery of cert types, but still curious why EKU is more appropriate 
for this than any other predefined field that raises no conflict with 


On 11/13/2014 10:40 PM, Jeremy.Rowley wrote:
> Doesn't all this ignore 5280's recommendation that "In general, this 
> extension will appear only in end entity certificates"? Ignoring this 
> might put browsers at odds with other industry groups also using PKI.
> On 11/5/2014 2:31 PM, Brian Smith wrote:
>> Gerv,
>> Please note that Ryan and I appear to be suggesting exactly the same 
>> thing. And, note that what I'm suggesting here is exactly the same 
>> argument I made for interpreting EKU in end-entity certificates 
>> earlier this year or last year: a lack of EKU is equivalent to 
>> "anyExtendedKeyUsage". This is what all (AFAICT) certificate 
>> verification code does today.
>> Gervase Markham <gerv at mozilla.org <mailto:gerv at mozilla.org>> wrote:
>>     > However, I'm assuming that for the CAs for which the BRs apply, it is
>>     > already the case that all or most of their intermediates
>>     conform to the
>>     > BRs.
>>     I would hope so. But is it programmatically detectable that they
>>     do? If
>>     so, how? "Publicly audited" is not a determinable characteristic
>>     of an
>>     intermediate.
>> Your proposal has the same issue. In both proposals, just by looking 
>> at the certificate chain, you can tell whether the intermediate is 
>> required to conform to the BRs or not. The only difference is that 
>> the way Ryan and I are suggesting already matches what Chrome (on 
>> Windows, at lesat), IE, and Firefox are already doing, whereas you 
>> are proposing that all browsers eventually (5-10 years from now?) be 
>> changed to do something new, without any protection for users until then.
>>     Also, your proposal 1) requires a re-issue of intermediates for all
>>     private PKIs, right? Because they all need to have EKUs in them?
>> If a CA certificate chains to a root for which the BRs apply, and 
>> that sub-CA doesn't want to be held to the BRs (ostensibly because 
>> they don't intend to issue SSL certificates), then they would need to 
>> have their sub-CA cert re-issued (and the old one revoked) with an 
>> EKU extension that does not include id-kp-serverAuth or 
>> anyExtendedKeyUsage, unless their certificate already has such an 
>> EKU. That is the only situation in which re-issuance would be necessary.
>> If private CAs don't issue SSL certificates, then it would be a good 
>> idea to replace their CA certificates with ones that contain an EKU 
>> that doesn't have id-kp-serverAuth or anyExtendedKeyUsage, to follow 
>> the principle of least privilege. But, they wouldn't be required to 
>> make any change, because the BRs don't apply to them, assuming that 
>> they don't chain to a trusted root. If they do chain to a trusted 
>> root then they're not private and the above paragraph applies.
>> Cheers,
>> Brian
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141113/fd8aa2e6/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3653 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141113/fd8aa2e6/attachment-0001.p7s>

More information about the Public mailing list