These seem like good ideas. I've
never seen an intermediate certificate with an extended key
usage extension, and this may be part of the reason that
Microsoft's implementation of extended key usage hasn't caused
much of a problem. Unfortunately, the reason that I found out
about Mozilla's plans is that they intend to actively encourage
the inclusion of extended key usage extensions in intermediate
certificates that include currently defined key purpose OIDs
(http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/InclusionPolicy.html):
Mozilla's draft policy imposes additional requirements on CA certificates that are not "technically constrained." The general response on the Mozilla web site (https://bugzilla.mozilla.org/show_bug.cgi?id=725351) seems to be "everyone else is ignoring the X.509 semantics for extended key usage, so why shouldn't Mozilla?". I asked why, if everyone feels that the X.509 semantics are wrong, no one has proposed a change to the standard. The only response I've gotten so far cam from Brian Smith who said "I expect that will happen as part of the WebPKI effort at the IETF." I would certainly hope the IETF wouldn't try to use the Web PKI Operations working group (assuming one forms) to try to change the semantics of an X.509 extension. Any change would have to be made in X.509, not in the IETF, and get the impression from the discussions on this list that there isn't interest in changing X.509. Dave On 10/27/2012 10:43 AM, Michael Ströder wrote: Basically for PKI practitioners this means: 1. Never ever set extendedKeyUsage in intermediate certs. 2. Never ever sign certs with a key for which the accompanying public-key cert contains the extendedKeyUsage extension. On 10/22/2012 05:46 PM, David Chadwick wrote: However, one could possible use this line of argument (I am not condoning their current approach, only playing devil's advocate for them). EKU is a bucket which allows new extended key uses to be defined. If all the EKUs that they define, specify in their definition that this EKU does not apply to the certificate in question, but to the certificate of the subject, then one could argue that it is OK, since you have to understand the value of the EKU in order to implement it, and when you understand the value you understand the semantics that are applied to the value ----- www.x500standard.com: The central source for information on the X.500 Directory Standard. |