[cabfpub] cablint's view of "in scope" for the BRs

Peter Bowen pzb at amzn.com
Sat Nov 5 00:43:11 UTC 2016


I’ve had several people ask me how cabling decides if a certificate is in scope for its Baseline Requirements checks.

In all cases, cablint only looks at the certificate presented, not the issuer, and possible chains, trust anchor info, or revocation data.  So a server auth certificate issued by a CA that is only trusted for code signing will still have BR checks applied.

To determine if BR checks should be run, cablint first looks for an Extended Key Usage (EKU) extension.  If it finds the EKU extension, and the EKU extension has at least one key purpose, it considers the cert to need BR checks if it contains one or more of the following key purposes:
- TLS Web Server Authentication
- Netscape Server Gated Crypto
- Microsoft Server Gated Crypto
- Any Extended Key Usage

If there is no EKU extension, or the extension has no key purposes, then it looks for the Key Usage (KU) extension.  If the KU extension is present, it will consider the cert to need BR checks if one of the following is true:
- The subject public key is a RSA key and the the key usage includes at least one of Digital Signature or Key Encipherment
- The subject public key is a DSA key and the the key usage includes Digital Signature
- The subject public key is a EC key and the key usage includes at least one of Digital Signature and Key Agreement

Right now certificates without either an EKU or KU extension are not in scope.  Further, the ancient and deprecated nsCertType extension is not used.

Do any implementations allow certs without either EKU or KU to be used for server auth?  Are there other conditions not listed above in which known libraries will accept a cert for server auth?

Thanks,
Peter


More information about the Public mailing list