[cabfpub] A conflict about EKU with PKIX

Adam Langley agl at google.com
Sun Mar 19 21:58:18 UTC 2017


On Sun, Mar 19, 2017 at 1:14 PM, Peter Bowen via Public <public at cabforum.org
> wrote:

> I am one of the many who has raised the topic, and there has been strong
> consensus from both IETF and ITU-T + ISO/IEC that the inclusion of an
> id-ce-extKeyUsage extension in a Certificate (whether CA-certificate or
> end-entity certificate) constrains the usage of the public key in the
> certificate, not the usage of public keys certificated by the CA named in
> the certificate.  This runs contrary to the usage of the id-ce-extKeyUsage
> extension in Microsoft, OpenSSL, and Mozilla NSS, and many other
> certificate validation libraries.


I believe that it was Microsoft who first widely made EKU a "path property"
rather than only affecting a specific certificate. I could have my history
wrong, but I commend whoever it was. Having EKUs in intermediates constrain
EKUs down the path is useful and less surprising—evidenced by widespread
implementation practice.

Standards should codify and unify practice. In this case the standard
diverges from reality without good reason, thus the standard has a flaw.

(Whether Gmail should be requiring an intermediate EKU is a separate
question, but I consider appeals to the standard to be a non-argument here.)


Cheers

AGL
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170319/9b86c669/attachment-0002.html>


More information about the Public mailing list