[cabfpub] A conflict about EKU with PKIX

Peter Bowen pzb at amzn.com
Sun Mar 19 22:26:34 UTC 2017


> On Mar 19, 2017, at 2:58 PM, Adam Langley <agl at google.com> wrote:
> 
> On Sun, Mar 19, 2017 at 1:14 PM, Peter Bowen via Public <public at cabforum.org <mailto:public at cabforum.org>> wrote:
> I am one of the many who has raised the topic, and there has been strong consensus from both IETF and ITU-T + ISO/IEC that the inclusion of an id-ce-extKeyUsage extension in a Certificate (whether CA-certificate or end-entity certificate) constrains the usage of the public key in the certificate, not the usage of public keys certificated by the CA named in the certificate.  This runs contrary to the usage of the id-ce-extKeyUsage extension in Microsoft, OpenSSL, and Mozilla NSS, and many other certificate validation libraries.
> 
> I believe that it was Microsoft who first widely made EKU a "path property" rather than only affecting a specific certificate. I could have my history wrong, but I commend whoever it was. Having EKUs in intermediates constrain EKUs down the path is useful and less surprising—evidenced by widespread implementation practice.
> 
> Standards should codify and unify practice. In this case the standard diverges from reality without good reason, thus the standard has a flaw.
> 
> (Whether Gmail should be requiring an intermediate EKU is a separate question, but I consider appeals to the standard to be a non-argument here.)

I agree that having the ability to constrain EKUs down the path is very useful and I’ve also heard that it was Microsoft who did this first.

That being said, I am well aware there are large PKI deployments that depend on the alternative meaning.  This keeps being the sticking point when trying to propose updating the standards.

I’m all in favor of adding a new constraint type explicitly for EKU, adding a new flag to indicate that the EKU constraint is “indirect” (meaning down the path), or coming up with some other solution.  But I do think that we need to allow both the direct and indirect interpretations co-exist and not set requirements that assume one implementation or the other.

I also favor, in this specific case, supporting existing PKIs that issue identity certificates, as it seems like a very reasonable use case to be able to sign an email using my government issued ID.

Thanks,
Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170319/a20ce26b/attachment-0003.html>


More information about the Public mailing list