[Smcwg-public] EKUs found in S/MIME ICAs
Corey Bonnell
Corey.Bonnell at digicert.com
Mon Jun 7 17:45:40 UTC 2021
Hello,
To help facilitate the discussion on EKUs allowed for the various profiles,
I downloaded all S/MIME ICAs trusted by Mozilla according to Censys.io and
sorted the occurrence of EKUs that appear in the ICAs. I have filtered out
ICA certificates that are revoked by CRL.
E-mail Protection: 414
TLS Web Client Authentication: 368
http://oid-info.com/get/1.3.6.1.4.1.311.10.3.12: 82
Microsoft Encrypted File System: 38
http://oid-info.com/get/1.3.6.1.4.1.311.21.5: 29
OCSP Signing: 27
Microsoft Smartcard Login: 26
http://oid-info.com/get/1.3.6.1.4.1.311.21.6: 26
TLS Web Server Authentication: 20
http://oid-info.com/get/1.2.840.113583.1.1.5: 13
Time Stamping: 12
http://oid-info.com/get/1.3.6.1.4.1.311.10.3.4.1: 11
Code Signing: 9
http://oid-info.com/get/1.3.6.1.4.1.311.20.2.1: 7
http://oid-info.com/get/1.3.6.1.4.1.311.10.3.11: 6
http://oid-info.com/get/1.3.6.1.4.1.311.21.19: 6
http://oid-info.com/get/1.3.6.1.5.5.7.3.14: 4
IPSec User: 4
http://oid-info.com/get/1.3.6.1.4.1.311.67.1.1: 3
http://oid-info.com/get/2.16.840.1.114027.40.3: 1
http://oid-info.com/get/2.16.840.114027.40.4: 1
http://oid-info.com/get/2.16.840.1.114027.40.11: 1
ipsec Internet Key Exchange: 1
http://oid-info.com/get/1.3.6.1.4.1.29452.1.1: 1
http://oid-info.com/get/1.3.6.1.5.5.8.2.2: 1
http://oid-info.com/get/2.16.840.1.101.3.6.8: 1
http://oid-info.com/get/2.16.840.1.101.3.8.7: 1
Given the wide variety of EKUs included in ICAs today, I believe it makes
sense to be permissive for the legacy profile and allow any EKU value to
appear alongside emailProtection. For the multi-purpose profile, we may want
to permit document signing, client authentication, and other related
client-centric functionality (encrypting file system, etc.) but prohibit
EKUs that don't fall into "end-user client machine" usages, such as
timeStamping or codeSigning.
If anyone wants to perform their own investigation, this is the Censys query
used to generate the list of ICAs:
((validation.nss.valid: true and
parsed.extensions.extended_key_usage.email_protection: true) AND tags.raw:
"trusted") AND parsed.extensions.basic_constraints.is_ca: true
Thanks,
Corey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20210607/9d3900a3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4990 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20210607/9d3900a3/attachment.p7s>
More information about the Smcwg-public
mailing list