Re: Policy 2.8: MRSP Issue #228: Clarify technically-constrained sub-CA EKUs

Mon, 15 Nov 2021 04:47:19 -0800 


On 11/11/2021 12:10 μ.μ., Dimitris Zacharopoulos wrote:


I am having trouble understanding the following phrase under 4.

/"//that are not inconsistent with id-kp-emailProtection" /


and I'm not sure if it is because of a double negative or something 
else missing. Ben, or anyone, can you please share some examples of 
"consistent" and "inconsistent" EKUs with id-kp-emailProtection to 
make this requirement a bit more clear?



1. and 3. are already covered in 4. You use "encourage" to recommend 
something. I suggest we avoid using RFC 2119 specific terms like 
"SHOULD NOT" if it is just to "encourage" a practice.



In order to have some symmetry between the email and server 
certificates, I made an attempt to consolidate the information. Here 
is a proposed change:


Current section 5.3.1 text:


/"We encourage CAs to technically constrain all intermediate 
certificates. For a certificate to be considered technically 
constrained, the certificate MUST include an //Extended Key Usage 
(EKU) <http://tools.ietf.org/html/rfc5280#section-4.2.1.12>//extension 
specifying all extended key usages that the subordinate CA is 
authorized to issue certificates for. The anyExtendedKeyUsage 
KeyPurposeId MUST NOT appear within this extension./


//


/If the certificate includes the id-kp-serverAuth extended key usage, 
then to be considered technically constrained, the certificate MUST be 
Name Constrained as described in section 7.1.5 of version 1.3 or later 
of the //Baseline Requirements 
<https://cabforum.org/baseline-requirements-documents/>//. The 
conformance requirements defined in section 2.3 of this policy also 
apply to technically constrained intermediate certificates./


//


/If the certificate includes the id-kp-emailProtection extended key 
usage, then to be considered technically constrained, it MUST include 
the Name Constraints X.509v3 extension with constraints on rfc822Name, 
with at least one name in permittedSubtrees, each such name having its 
ownership validated according to section 3.2.2.4 of the //Baseline 
Requirements <https://cabforum.org/baseline-requirements-documents/>//."/


Suggested text:




 I realized that we should also consider the subCA Certificates that 
contain an EKU extension and have KeyPurposeIDs that are not the 
id-kp-emailProtection (for email certificates) or id-kp-serverAuth (for 
server certificates). Here's an updated text to support that.



/"We encourage CAs to technically constrain all intermediate 
certificates. For a CA certificate to be considered technically 
constrained for email certificates, //one of the following options must 
be fulfilled:

/


//Option A) The CA Certificate MUST include an //Extended Key Usage 
(EKU) <http://tools.ietf.org/html/rfc5280#section-4.2.1.12>//extension 
that SHALL NOT include the id-kp-emailProtection or the 
/////anyExtendedKeyUsage /KeyPurposeID; or

//

/Option B) The CA Certificate


- MUST include an //Extended Key Usage (EKU) 
<http://tools.ietf.org/html/rfc5280#section-4.2.1.12>//extension that 
SHALL include the id-kp-emailProtection KeyPurposeID. The values 
id-kp-serverAuth, id-kp-codeSigning, id-kp-timeStamping, and 
anyExtendedKeyUsage MUST NOT be present. The value id-kp-clientAuth MAY 
be present. Other values that the CA is allowed to use, and that are 
documented in the CA’s CPS MAY be present, and//;



- MUST include a Name Constraints X.509v3 extension with constraints on 
rfc822Name values, with at least one name in permittedSubtrees, each 
such name having its ownership validated according to section 3.2.2.4 of 
the //Baseline Requirements 
<https://cabforum.org/baseline-requirements-documents/>//./



/For a CA certificate to be considered technically constrained for 
server certificates, ///one of the following options must be fulfilled/:

/


//Option A) The CA Certificate MUST include an //Extended Key Usage 
(EKU) <http://tools.ietf.org/html/rfc5280#section-4.2.1.12>//extension 
that SHALL NOT include the id-kp-serverAuth or the 
/////anyExtendedKeyUsage /KeyPurposeID; or////


Option B) The CA Certificate


/- MUST include an //Extended Key Usage (EKU) 
<http://tools.ietf.org/html/rfc5280#section-4.2.1.12>//extension that 
includes the id-kp-serverAuth KeyPurposeID. The values 
id-kp-emailProtection, id-kp-codeSigning, id-kp-timeStamping, and 
anyExtendedKeyUsage MUST NOT be present. The value id-kp-clientAuth MAY 
be present. Other values that the CA is allowed to use, and that are 
documented in the CA’s CPS MAY be present, and;

/


/- //MUST //include a Name Constraints X.509v3 extension with 
constraints //as described in section 7.1.5 of version 1.3 or later of 
the //Baseline Requirements 
<https://cabforum.org/baseline-requirements-documents/>//./



/We encourage CAs not to include more than a single KeyPurposeID in the 
EKU extension."/


--
You received this message because you are subscribed to the Google Groups 
"dev-security-policy@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dev-security-policy+unsubscr...@mozilla.org.
To view this discussion on the web visit 
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/a8ca2462-41ce-34c0-f5bc-b1e6557dd355%40it.auth.gr.

























					Reply via email to