All, Here is a CCADB report of EKUs in Intermediate CA certificates (a total of 2,962). Each CA certificate is counted only once in the table below. I haven't done any further analysis of these certificates. It is apparent that we need to clean up some of these intermediate CAs by removing trust from some of these CAs, or at least revoking and replacing CA certificates to remove EKUs that conflict with other EKUs. I thought we might have a discussion of this separate from or in addition to our review of GitHub MRSP Policy Issue #228 (Clarify techincally-constrained sub-CA EKUS). Ben
Extended Key Usage Server Authentication No EKU 1025 serverAuth 19 serverAuth,clientAuth 1058 serverAuth,clientAuth,OCSPSigning 13 serverAuth,emailProtection 3 serverAuth,clientAuth,emailProtection 6 serverAuth,clientAuth,codeSigning 1 serverAuth,clientAuth,codeSigning,emailProtection,timeStamping 5 serverAuth,clientAuth,codeSigning,NetscapeSGC 1 serverAuth,clientAuth,IntelAMTProvisioning 1 serverAuth,clientAuth,IPSECEndSystem,IPSECTunnel,IPSECUser 1 serverAuth,clientAuth,IPSECEndSystem,IPSECTunnel,IPSECUser,OCSPSigning,enrollmentAgent 1 serverAuth,clientAuth,NetscapeSGC,VerisignSGC 2 NetscapeSGC,VerisignSGC 1 NetscapeSGC 1 NetscapeSGC,serverAuth,clientAuth 4 clientAuth,serverAuth,MicrosoftSGC,NetscapeSGC 8 ServerAuth Total 2150 ClientAuth clientAuth 48 ClientAuth Total 48 S/MIME emailProtection, clientAuth 319 emailProtection 18 clientAuth,emailProtection,AuthenticDocumentsTrust 3 clientAuth,emailProtection,BitLocker,MS-docSigning,EFSRecovery,EFS,Smartcardlogon 1 clientAuth,emailProtection,caExchange,keyRecoveryAgent 9 clientAuth,emailProtection,digitalPersona 1 clientAuth,emailProtection,EFS 4 clientAuth,emailProtection,EFS,MS-docSigning 1 clientAuth,emailProtection,EFS,MS-docSigning,Smartcardlogon,PIV-cardAuth,pivi-content-signing 1 clientAuth,emailProtection,EFS,Smartcardlogon 2 clientAuth,emailProtection,EFS,Smartcardlogon,MS-docSigning,AuthenticDocumentsTrust 5 clientAuth,emailProtection,EFSRecovery,EFS,Smartcardlogon 2 clientAuth,emailProtection,IPSECUser,EFS,EFSRecovery,MSkeyRecovery,enrollmentAgent,Smartcardlogon,PASSIM 1 clientAuth,emailProtection,IPSECUser,Smartcardlogon,EFS,keyRecoveryAgent,MS-docSigning,ipsecIKE 1 clientAuth,emailProtection,MS-docSigning 41 clientAuth,emailProtection,MS-docSigning,AuthenticDocumentsTrust,Smartcardlogon 1 clientAuth,emailProtection,MS-docSigning,EFS 3 clientAuth,emailProtection,MS-docSigning,EFS,Smartcardlogon 1 clientAuth,emailProtection,MS-docSigning,Entrust-docSigning 1 clientAuth,emailProtection,Smartcardlogon 4 clientAuth,emailProtection,Smartcardlogon,EFS,EFSRecovery,BitLocker 1 emailProtection,BitLocker,EFSRecovery,EFS 1 emailProtection,caExchange 1 emailProtection,caExchange,keyRecoveryAgent 10 emailProtection,clientAuth,EntrustEvent,EntrustUnknown,Smartcardlogon 1 emailProtection,clientAuth,IPSECUser,EFS,EFSRecovery,MSkeyRecovery,enrollmentAgent,Smartcardlogon,PASSIM 1 emailProtection,clientAuth,Smartcardlogon,EFS,EFSRecovery,BitLocker 1 emailProtection,clientAuth,Smartcardlogon,MS-docSigning 1 emailProtection,MS-docSigning 3 emailProtection,MS-docSigning,AuthenticDocumentsTrust 6 S/MIME Total 445 Code Signing codeSigning 163 codeSigning,kernelModeCS 2 codeSigning,msCodeCom 1 codeSigning,OCSPSigning 6 codeSigning,Symantec-EKUs 1 codeSigning,timeStamping 5 clientAuth,codeSigning 7 clientAuth,codeSigning,emailProtection,timeStamping,MS-docSigning,AuthenticDocumentsTrust 1 Code Signing Total 186 Document Signing (not including S/MIME CAs) MS-docSigning 1 MS-docSigning,AuthenticDocumentsTrust 17 AuthenticDocumentsTrust 10 AuthenticDocumentsTrust,MS-docSigning 3 clientAuth,AuthenticDocumentsTrust 2 clientAuth,AuthenticDocumentsTrust,MS-docSigning 3 clientAuth,Smartcardlogon,AuthenticDocumentsTrust 2 Document Signing Total 38 CAs with OCSP Signing EKU (not including serverAuth CAs) OCSPSigning,clientAuth,emailProtection 6 emailProtection,clientAuth,OCSPSigning,IPSECUser,EFS,EFSRecovery,MSkeyRecovery,enrollmentAgent,PASSIM 1 clientAuth,emailProtection,OCSPSigning,eapOverLAN,EFS,EFSRecovery,MSkeyRecovery,enrollmentAgent,PASSIM 1 clientAuth,emailProtection,OCSPSigning,EFS,EFSRecovery,MSkeyRecovery,enrollmentAgent,Smartcardlogon,PASSIM 2 clientAuth,emailProtection,OCSPSigning,MS-docSigning 3 clientAuth,emailProtection,OCSPSigning,MS-docSigning,EFS 14 timeStamping,OCSPSigning 4 timeStamping,OCSPSigning,AuthenticDocumentsTrust 1 OCSP Signing Total 32 Time Stamping (not including CAs with codesigning or OCSP Signing EKUs) timeStamping 56 timeStamping,AuthenticDocumentsTrust 2 clientAuth,timeStamping 1 clientAuth,emailProtection,timeStamping 2 clientAuth,emailProtection,timeStamping,AuthenticDocumentsTrust,MS-docSigning 1 Time Stamping Total 62 Miscellaneous BrandIndicatorforMessageID 1 Miscellaneous Total 1 Grand Total 2962 -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaY%2BHpyjBWRgB6T2e0A6oaY-jr84%2Bq-KAndn7LBNafn1%2BQ%40mail.gmail.com.