[Servercert-wg] Discussion about single-purpose client authentication leaf certificates issued from a server TLS Issuing CA

[Aaron Gable]

On Tue, May 14, 2024, 02:33 Dimitris Zacharopoulos (HARICA) via
Servercert-wg <servercert-wg at cabforum.org> wrote:

> Is it ok for such an Issuing CA to create a single-purpose client
> authentication TLS Certificate, one that is structured according to RFC
> 5280 (thus can be successfully parsed by Relying Party RFC 5280-conformant
> software), contains an extKeyUsage extension which contains the
> *id-kp-clientAuth* and DOES NOT include the *id-kp-serverAuth*
> KeyPurposeId?
>

Speaking in a personal capacity, it is my opinion that no, such issuance is
not acceptable.

I agree that the resulting end-entity client-auth-only certificate is out
of scope of the BRs, and is not in and of itself misissued. However, the
issuing intermediate itself is still in scope of the BRs, and its behavior
can be contained by them. By virtue of issuing the clientAuth cert, the
issuing intermediate has violated the BRs requirement that "all
certificates that it issues MUST comply with one of the following
certificate profiles".

One could even argue that, having issued a certificate which does not
comply with a BR profile, the issuing intermediate must be revoked within 7
days, per BRs Section 4.9.1.2 (5): "The Issuing CA SHALL revoke a
Subordinate CA Certificate [if...] the Issuing CA is made aware that the...
Subordinate CA has not complied with this document".

Aaron

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240514/9cac8d42/attachment.html>