Re: [TLS] Regulations for EKU validation for CA certificates in the certificate chain

> > *From:* TLS [mailto:tls-boun...@ietf.org] *On Behalf Of *Carl Wallace > *Sent:* Tuesday, January 31, 2023 9:42 AM > *To:* Corey Bonnell > *Cc:* TLS@ietf.org; Salz, Rich > *Subject:* Re: [TLS] Regulations for EKU validation for CA certificates > in the certificate chain >

Re: [TLS] Regulations for EKU validation for CA certificates in the certificate chain

for EKU validation for CA certificates in the certificate chain Good reference. That shows modifying initialization steps and using new variables. RFC5937 has an example of a new input flag. Between those two the basic skeleton is there. The effort just needs to make sure status quo is

Re: [TLS] Regulations for EKU validation for CA certificates in the certificate chain

n Behalf Of Salz, Rich > Sent: Saturday, January 28, 2023 10:57 AM > To: Oleg Pekar ; Carl Wallace > > Cc: TLS@ietf.org > Subject: Re: [TLS] Regulations for EKU validation for CA certificates in the > certificate chain > > Great, I will prepare the initial draft then. Ar

Re: [TLS] Regulations for EKU validation for CA certificates in the certificate chain

Wallace Cc: TLS@ietf.org Subject: Re: [TLS] Regulations for EKU validation for CA certificates in the certificate chain Great, I will prepare the initial draft then. Are there any informal documents where WebPKI rules are captured? I would start by looking at the CA/Browser forum

Re: [TLS] Regulations for EKU validation for CA certificates in the certificate chain

On Sat, Jan 28, 2023 at 11:57:46AM +0200, Oleg Pekar wrote: > "If the extension is present, then the certificate MUST only be used >for one of the purposes indicated. If multiple purposes are >indicated the application need not recognize all purposes indicated, >as long as the inten

Re: [TLS] Regulations for EKU validation for CA certificates in the certificate chain

Great, I will prepare the initial draft then. Are there any informal documents where WebPKI rules are captured? I would start by looking at the CA/Browser forum documents. ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Regulations for EKU validation for CA certificates in the certificate chain

From: Oleg Pekar Date: Saturday, January 28, 2023 at 10:03 AM To: Carl Wallace Cc: Ilari Liusvaara , Subject: Re: [TLS] Regulations for EKU validation for CA certificates in the certificate chain Great, I will prepare the initial draft then. Are there any informal documents where

Re: [TLS] Regulations for EKU validation for CA certificates in the certificate chain

Great, I will prepare the initial draft then. Are there any informal documents where WebPKI rules are captured? >a new flag for the path validation algorithm that signifies WebPKI EKU processing is in effect Do you mean a flag that one party presents to the other party as an indication that it exp

Re: [TLS] Regulations for EKU validation for CA certificates in the certificate chain

On 1/28/23, 8:10 AM, "TLS on behalf of Ilari Liusvaara" mailto:tls-boun...@ietf.org> on behalf of ilariliusva...@welho.com > wrote: On Sat, Jan 28, 2023 at 11:57:46AM +0200, Oleg Pekar wrote: > Example: if the client sends a chain Root->CA1->CA2->End-Entity,

Re: [TLS] Regulations for EKU validation for CA certificates in the certificate chain

On Sat, Jan 28, 2023 at 11:57:46AM +0200, Oleg Pekar wrote: > Dear TLS WG, > When TLS party receives other party's certificate chain, there is a rule > for validation of end-entity certificate EKU specified by the RFC 3280, > section "4.2.1.13 Extended Key Usage": > > "If the extension is present,

[TLS] Regulations for EKU validation for CA certificates in the certificate chain

Dear TLS WG, When TLS party receives other party's certificate chain, there is a rule for validation of end-entity certificate EKU specified by the RFC 3280, section "4.2.1.13 Extended Key Usage": "If the extension is present, then the certificate MUST only be used for one of the purposes indic