[Smcwg-public] EKUs found in S/MIME ICAs

Ben Wilson bwilson at mozilla.com
Thu Nov 4 14:44:57 UTC 2021


Add 33 more that I didn't count that had the serverAuth, timeStamping,
codeSigning, and OCSP signing EKUs in them.

On Thu, Nov 4, 2021 at 8:41 AM Ben Wilson <bwilson at mozilla.com> wrote:

> I just posted a CCADB report here: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/6IegfqONu7c/m/ofXETowrAgAJ
>
>
> I counted 445 CA certificates with the emailProtection EKU.
>
> S/MIME
> emailProtection, clientAuth 319
> emailProtection 18
> clientAuth,emailProtection,AuthenticDocumentsTrust 3
>
> clientAuth,emailProtection,BitLocker,MS-docSigning,EFSRecovery,EFS,Smartcardlogon
> 1
> clientAuth,emailProtection,caExchange,keyRecoveryAgent 9
> clientAuth,emailProtection,digitalPersona 1
> clientAuth,emailProtection,EFS 4
> clientAuth,emailProtection,EFS,MS-docSigning 1
>
> clientAuth,emailProtection,EFS,MS-docSigning,Smartcardlogon,PIV-cardAuth,pivi-content-signing
> 1
> clientAuth,emailProtection,EFS,Smartcardlogon 2
>
> clientAuth,emailProtection,EFS,Smartcardlogon,MS-docSigning,AuthenticDocumentsTrust
> 5
> clientAuth,emailProtection,EFSRecovery,EFS,Smartcardlogon 2
>
> clientAuth,emailProtection,IPSECUser,EFS,EFSRecovery,MSkeyRecovery,enrollmentAgent,Smartcardlogon,PASSIM
> 1
>
> clientAuth,emailProtection,IPSECUser,Smartcardlogon,EFS,keyRecoveryAgent,MS-docSigning,ipsecIKE
> 1
> clientAuth,emailProtection,MS-docSigning 41
>
> clientAuth,emailProtection,MS-docSigning,AuthenticDocumentsTrust,Smartcardlogon
> 1
> clientAuth,emailProtection,MS-docSigning,EFS 3
> clientAuth,emailProtection,MS-docSigning,EFS,Smartcardlogon 1
> clientAuth,emailProtection,MS-docSigning,Entrust-docSigning 1
> clientAuth,emailProtection,Smartcardlogon 4
> clientAuth,emailProtection,Smartcardlogon,EFS,EFSRecovery,BitLocker 1
> emailProtection,BitLocker,EFSRecovery,EFS 1
> emailProtection,caExchange 1
> emailProtection,caExchange,keyRecoveryAgent 10
> emailProtection,clientAuth,EntrustEvent,EntrustUnknown,Smartcardlogon 1
>
> emailProtection,clientAuth,IPSECUser,EFS,EFSRecovery,MSkeyRecovery,enrollmentAgent,Smartcardlogon,PASSIM
> 1
> emailProtection,clientAuth,Smartcardlogon,EFS,EFSRecovery,BitLocker 1
> emailProtection,clientAuth,Smartcardlogon,MS-docSigning 1
> emailProtection,MS-docSigning 3
> emailProtection,MS-docSigning,AuthenticDocumentsTrust 6
> S/MIME Total 445
>
> On Mon, Jun 7, 2021 at 11:45 AM Corey Bonnell via Smcwg-public <
> smcwg-public at cabforum.org> wrote:
>
>> Hello,
>>
>> To help facilitate the discussion on EKUs allowed for the various
>> profiles, I downloaded all S/MIME ICAs trusted by Mozilla according to
>> Censys.io and sorted the occurrence of EKUs that appear in the ICAs. I have
>> filtered out ICA certificates that are revoked by CRL.
>>
>>
>>
>> E-mail Protection: 414
>>
>> TLS Web Client Authentication: 368
>>
>> http://oid-info.com/get/1.3.6.1.4.1.311.10.3.12: 82
>>
>> Microsoft Encrypted File System: 38
>>
>> http://oid-info.com/get/1.3.6.1.4.1.311.21.5: 29
>>
>> OCSP Signing: 27
>>
>> Microsoft Smartcard Login: 26
>>
>> http://oid-info.com/get/1.3.6.1.4.1.311.21.6: 26
>>
>> TLS Web Server Authentication: 20
>>
>> http://oid-info.com/get/1.2.840.113583.1.1.5: 13
>>
>> Time Stamping: 12
>>
>> http://oid-info.com/get/1.3.6.1.4.1.311.10.3.4.1: 11
>>
>> Code Signing: 9
>>
>> http://oid-info.com/get/1.3.6.1.4.1.311.20.2.1: 7
>>
>> http://oid-info.com/get/1.3.6.1.4.1.311.10.3.11: 6
>>
>> http://oid-info.com/get/1.3.6.1.4.1.311.21.19: 6
>>
>> http://oid-info.com/get/1.3.6.1.5.5.7.3.14: 4
>>
>> IPSec User: 4
>>
>> http://oid-info.com/get/1.3.6.1.4.1.311.67.1.1: 3
>>
>> http://oid-info.com/get/2.16.840.1.114027.40.3: 1
>>
>> http://oid-info.com/get/2.16.840.114027.40.4: 1
>>
>> http://oid-info.com/get/2.16.840.1.114027.40.11: 1
>>
>> ipsec Internet Key Exchange: 1
>>
>> http://oid-info.com/get/1.3.6.1.4.1.29452.1.1: 1
>>
>> http://oid-info.com/get/1.3.6.1.5.5.8.2.2: 1
>>
>> http://oid-info.com/get/2.16.840.1.101.3.6.8: 1
>>
>> http://oid-info.com/get/2.16.840.1.101.3.8.7: 1
>>
>>
>>
>> Given the wide variety of EKUs included in ICAs today, I believe it makes
>> sense to be permissive for the legacy profile and allow any EKU value to
>> appear alongside emailProtection. For the multi-purpose profile, we may
>> want to permit document signing, client authentication, and other related
>> client-centric functionality (encrypting file system, etc.) but prohibit
>> EKUs that don’t fall into “end-user client machine” usages, such as
>> timeStamping or codeSigning.
>>
>>
>>
>> If anyone wants to perform their own investigation, this is the Censys
>> query used to generate the list of ICAs:
>>
>> ((validation.nss.valid: true and
>> parsed.extensions.extended_key_usage.email_protection: true) AND tags.raw:
>> "trusted") AND parsed.extensions.basic_constraints.is_ca: true
>>
>>
>>
>> Thanks,
>>
>> Corey
>>
>>
>> _______________________________________________
>> Smcwg-public mailing list
>> Smcwg-public at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/smcwg-public
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20211104/437b8184/attachment-0001.html>


More information about the Smcwg-public mailing list