[Smcwg-public] EKUs found in S/MIME ICAs

Ben Wilson bwilson at mozilla.com
Thu Nov 4 14:48:02 UTC 2021


Make that 42.

On Thu, Nov 4, 2021 at 8:45 AM Ben Wilson via Smcwg-public <
smcwg-public at cabforum.org> wrote:

> Add 33 more that I didn't count that had the serverAuth, timeStamping,
> codeSigning, and OCSP signing EKUs in them.
>
> On Thu, Nov 4, 2021 at 8:41 AM Ben Wilson <bwilson at mozilla.com> wrote:
>
>> I just posted a CCADB report here: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/6IegfqONu7c/m/ofXETowrAgAJ
>>
>>
>> I counted 445 CA certificates with the emailProtection EKU.
>>
>> S/MIME
>> emailProtection, clientAuth 319
>> emailProtection 18
>> clientAuth,emailProtection,AuthenticDocumentsTrust 3
>>
>> clientAuth,emailProtection,BitLocker,MS-docSigning,EFSRecovery,EFS,Smartcardlogon
>> 1
>> clientAuth,emailProtection,caExchange,keyRecoveryAgent 9
>> clientAuth,emailProtection,digitalPersona 1
>> clientAuth,emailProtection,EFS 4
>> clientAuth,emailProtection,EFS,MS-docSigning 1
>>
>> clientAuth,emailProtection,EFS,MS-docSigning,Smartcardlogon,PIV-cardAuth,pivi-content-signing
>> 1
>> clientAuth,emailProtection,EFS,Smartcardlogon 2
>>
>> clientAuth,emailProtection,EFS,Smartcardlogon,MS-docSigning,AuthenticDocumentsTrust
>> 5
>> clientAuth,emailProtection,EFSRecovery,EFS,Smartcardlogon 2
>>
>> clientAuth,emailProtection,IPSECUser,EFS,EFSRecovery,MSkeyRecovery,enrollmentAgent,Smartcardlogon,PASSIM
>> 1
>>
>> clientAuth,emailProtection,IPSECUser,Smartcardlogon,EFS,keyRecoveryAgent,MS-docSigning,ipsecIKE
>> 1
>> clientAuth,emailProtection,MS-docSigning 41
>>
>> clientAuth,emailProtection,MS-docSigning,AuthenticDocumentsTrust,Smartcardlogon
>> 1
>> clientAuth,emailProtection,MS-docSigning,EFS 3
>> clientAuth,emailProtection,MS-docSigning,EFS,Smartcardlogon 1
>> clientAuth,emailProtection,MS-docSigning,Entrust-docSigning 1
>> clientAuth,emailProtection,Smartcardlogon 4
>> clientAuth,emailProtection,Smartcardlogon,EFS,EFSRecovery,BitLocker 1
>> emailProtection,BitLocker,EFSRecovery,EFS 1
>> emailProtection,caExchange 1
>> emailProtection,caExchange,keyRecoveryAgent 10
>> emailProtection,clientAuth,EntrustEvent,EntrustUnknown,Smartcardlogon 1
>>
>> emailProtection,clientAuth,IPSECUser,EFS,EFSRecovery,MSkeyRecovery,enrollmentAgent,Smartcardlogon,PASSIM
>> 1
>> emailProtection,clientAuth,Smartcardlogon,EFS,EFSRecovery,BitLocker 1
>> emailProtection,clientAuth,Smartcardlogon,MS-docSigning 1
>> emailProtection,MS-docSigning 3
>> emailProtection,MS-docSigning,AuthenticDocumentsTrust 6
>> S/MIME Total 445
>>
>> On Mon, Jun 7, 2021 at 11:45 AM Corey Bonnell via Smcwg-public <
>> smcwg-public at cabforum.org> wrote:
>>
>>> Hello,
>>>
>>> To help facilitate the discussion on EKUs allowed for the various
>>> profiles, I downloaded all S/MIME ICAs trusted by Mozilla according to
>>> Censys.io and sorted the occurrence of EKUs that appear in the ICAs. I have
>>> filtered out ICA certificates that are revoked by CRL.
>>>
>>>
>>>
>>> E-mail Protection: 414
>>>
>>> TLS Web Client Authentication: 368
>>>
>>> http://oid-info.com/get/1.3.6.1.4.1.311.10.3.12: 82
>>>
>>> Microsoft Encrypted File System: 38
>>>
>>> http://oid-info.com/get/1.3.6.1.4.1.311.21.5: 29
>>>
>>> OCSP Signing: 27
>>>
>>> Microsoft Smartcard Login: 26
>>>
>>> http://oid-info.com/get/1.3.6.1.4.1.311.21.6: 26
>>>
>>> TLS Web Server Authentication: 20
>>>
>>> http://oid-info.com/get/1.2.840.113583.1.1.5: 13
>>>
>>> Time Stamping: 12
>>>
>>> http://oid-info.com/get/1.3.6.1.4.1.311.10.3.4.1: 11
>>>
>>> Code Signing: 9
>>>
>>> http://oid-info.com/get/1.3.6.1.4.1.311.20.2.1: 7
>>>
>>> http://oid-info.com/get/1.3.6.1.4.1.311.10.3.11: 6
>>>
>>> http://oid-info.com/get/1.3.6.1.4.1.311.21.19: 6
>>>
>>> http://oid-info.com/get/1.3.6.1.5.5.7.3.14: 4
>>>
>>> IPSec User: 4
>>>
>>> http://oid-info.com/get/1.3.6.1.4.1.311.67.1.1: 3
>>>
>>> http://oid-info.com/get/2.16.840.1.114027.40.3: 1
>>>
>>> http://oid-info.com/get/2.16.840.114027.40.4: 1
>>>
>>> http://oid-info.com/get/2.16.840.1.114027.40.11: 1
>>>
>>> ipsec Internet Key Exchange: 1
>>>
>>> http://oid-info.com/get/1.3.6.1.4.1.29452.1.1: 1
>>>
>>> http://oid-info.com/get/1.3.6.1.5.5.8.2.2: 1
>>>
>>> http://oid-info.com/get/2.16.840.1.101.3.6.8: 1
>>>
>>> http://oid-info.com/get/2.16.840.1.101.3.8.7: 1
>>>
>>>
>>>
>>> Given the wide variety of EKUs included in ICAs today, I believe it
>>> makes sense to be permissive for the legacy profile and allow any EKU value
>>> to appear alongside emailProtection. For the multi-purpose profile, we may
>>> want to permit document signing, client authentication, and other related
>>> client-centric functionality (encrypting file system, etc.) but prohibit
>>> EKUs that don’t fall into “end-user client machine” usages, such as
>>> timeStamping or codeSigning.
>>>
>>>
>>>
>>> If anyone wants to perform their own investigation, this is the Censys
>>> query used to generate the list of ICAs:
>>>
>>> ((validation.nss.valid: true and
>>> parsed.extensions.extended_key_usage.email_protection: true) AND tags.raw:
>>> "trusted") AND parsed.extensions.basic_constraints.is_ca: true
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Corey
>>>
>>>
>>> _______________________________________________
>>> Smcwg-public mailing list
>>> Smcwg-public at cabforum.org
>>> https://lists.cabforum.org/mailman/listinfo/smcwg-public
>>>
>> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20211104/9babaea6/attachment-0001.html>


More information about the Smcwg-public mailing list