[Smcwg-public] EKUs found in S/MIME ICAs

Ben Wilson bwilson at mozilla.com
Thu Nov 4 14:41:08 UTC 2021 

I just posted a CCADB report here:
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/6IegfqONu7c/m/ofXETowrAgAJ


I counted 445 CA certificates with the emailProtection EKU.

S/MIME
emailProtection, clientAuth 319
emailProtection 18
clientAuth,emailProtection,AuthenticDocumentsTrust 3
clientAuth,emailProtection,BitLocker,MS-docSigning,EFSRecovery,EFS,Smartcardlogon
1
clientAuth,emailProtection,caExchange,keyRecoveryAgent 9
clientAuth,emailProtection,digitalPersona 1
clientAuth,emailProtection,EFS 4
clientAuth,emailProtection,EFS,MS-docSigning 1
clientAuth,emailProtection,EFS,MS-docSigning,Smartcardlogon,PIV-cardAuth,pivi-content-signing
1
clientAuth,emailProtection,EFS,Smartcardlogon 2
clientAuth,emailProtection,EFS,Smartcardlogon,MS-docSigning,AuthenticDocumentsTrust
5
clientAuth,emailProtection,EFSRecovery,EFS,Smartcardlogon 2
clientAuth,emailProtection,IPSECUser,EFS,EFSRecovery,MSkeyRecovery,enrollmentAgent,Smartcardlogon,PASSIM
1
clientAuth,emailProtection,IPSECUser,Smartcardlogon,EFS,keyRecoveryAgent,MS-docSigning,ipsecIKE
1
clientAuth,emailProtection,MS-docSigning 41
clientAuth,emailProtection,MS-docSigning,AuthenticDocumentsTrust,Smartcardlogon
1
clientAuth,emailProtection,MS-docSigning,EFS 3
clientAuth,emailProtection,MS-docSigning,EFS,Smartcardlogon 1
clientAuth,emailProtection,MS-docSigning,Entrust-docSigning 1
clientAuth,emailProtection,Smartcardlogon 4
clientAuth,emailProtection,Smartcardlogon,EFS,EFSRecovery,BitLocker 1
emailProtection,BitLocker,EFSRecovery,EFS 1
emailProtection,caExchange 1
emailProtection,caExchange,keyRecoveryAgent 10
emailProtection,clientAuth,EntrustEvent,EntrustUnknown,Smartcardlogon 1
emailProtection,clientAuth,IPSECUser,EFS,EFSRecovery,MSkeyRecovery,enrollmentAgent,Smartcardlogon,PASSIM
1
emailProtection,clientAuth,Smartcardlogon,EFS,EFSRecovery,BitLocker 1
emailProtection,clientAuth,Smartcardlogon,MS-docSigning 1
emailProtection,MS-docSigning 3
emailProtection,MS-docSigning,AuthenticDocumentsTrust 6
S/MIME Total 445

On Mon, Jun 7, 2021 at 11:45 AM Corey Bonnell via Smcwg-public <
smcwg-public at cabforum.org> wrote:

> Hello,
>
> To help facilitate the discussion on EKUs allowed for the various
> profiles, I downloaded all S/MIME ICAs trusted by Mozilla according to
> Censys.io and sorted the occurrence of EKUs that appear in the ICAs. I have
> filtered out ICA certificates that are revoked by CRL.
>
>
>
> E-mail Protection: 414
>
> TLS Web Client Authentication: 368
>
> http://oid-info.com/get/1.3.6.1.4.1.311.10.3.12: 82
>
> Microsoft Encrypted File System: 38
>
> http://oid-info.com/get/1.3.6.1.4.1.311.21.5: 29
>
> OCSP Signing: 27
>
> Microsoft Smartcard Login: 26
>
> http://oid-info.com/get/1.3.6.1.4.1.311.21.6: 26
>
> TLS Web Server Authentication: 20
>
> http://oid-info.com/get/1.2.840.113583.1.1.5: 13
>
> Time Stamping: 12
>
> http://oid-info.com/get/1.3.6.1.4.1.311.10.3.4.1: 11
>
> Code Signing: 9
>
> http://oid-info.com/get/1.3.6.1.4.1.311.20.2.1: 7
>
> http://oid-info.com/get/1.3.6.1.4.1.311.10.3.11: 6
>
> http://oid-info.com/get/1.3.6.1.4.1.311.21.19: 6
>
> http://oid-info.com/get/1.3.6.1.5.5.7.3.14: 4
>
> IPSec User: 4
>
> http://oid-info.com/get/1.3.6.1.4.1.311.67.1.1: 3
>
> http://oid-info.com/get/2.16.840.1.114027.40.3: 1
>
> http://oid-info.com/get/2.16.840.114027.40.4: 1
>
> http://oid-info.com/get/2.16.840.1.114027.40.11: 1
>
> ipsec Internet Key Exchange: 1
>
> http://oid-info.com/get/1.3.6.1.4.1.29452.1.1: 1
>
> http://oid-info.com/get/1.3.6.1.5.5.8.2.2: 1
>
> http://oid-info.com/get/2.16.840.1.101.3.6.8: 1
>
> http://oid-info.com/get/2.16.840.1.101.3.8.7: 1
>
>
>
> Given the wide variety of EKUs included in ICAs today, I believe it makes
> sense to be permissive for the legacy profile and allow any EKU value to
> appear alongside emailProtection. For the multi-purpose profile, we may
> want to permit document signing, client authentication, and other related
> client-centric functionality (encrypting file system, etc.) but prohibit
> EKUs that don’t fall into “end-user client machine” usages, such as
> timeStamping or codeSigning.
>
>
>
> If anyone wants to perform their own investigation, this is the Censys
> query used to generate the list of ICAs:
>
> ((validation.nss.valid: true and
> parsed.extensions.extended_key_usage.email_protection: true) AND tags.raw:
> "trusted") AND parsed.extensions.basic_constraints.is_ca: true
>
>
>
> Thanks,
>
> Corey
>
>
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20211104/3f8f1dd3/attachment-0001.html>

More information about the Smcwg-public mailing list