On 4/30/14, 3:59 AM, Gervase Markham wrote:> On 30/04/14 00:24, Kathleen Wilson
wrote:
On 4/29/14, 3:44 AM, Gervase Markham wrote:
Does the list on that wiki page need to include the Microsoft equivalent
of the SGC EKU? Or are we not mentioning that?
Yes, it's item #1 in the "Things for CAs to Fix" section.
Item #1 refers to Netscape SGC. I seem to remember their being something
similar but Microsoft-y, which is not mentioned. Am I mis-remembering?
Gerv
Oops. I overlooked the "Microsoft" in your question.
The presence of the Microsoft SGC EKU will not cause a failure. As far
as I can tell, Mozilla's code hasn't ever done anything with it, and and
won't do anything with it.
On 4/30/14, 6:17 AM, Gervase Markham wrote:
On 30/04/14 12:39, Rob Stradling wrote:
Bugs 982292, 982932 and 982936 talk about requiring CAs to stop
including the Netscape Step-Up OID in _new Intermediate CA
Certificates_, yet somehow this has morphed into "all new certificate
issuance" on mozpkix-testing#Things_for_CAs_to_Fix.
https://bugzilla.mozilla.org/show_bug.cgi?id=982292#c1
"In this case, the problem is that the intermediate CA certificate has
an EKU, .. but it doesn't list the "TLS Web Server Authentication
(1.3.6.1.5.5.7.3.1)" EKU. Instead, the intermediate CA certificate lists
only:
Microsoft Server Gated Crypto (1.3.6.1.4.1.311.10.3.3)
Netscape Server Gated Crypto (2.16.840.1.113730.4.1)"
So, indeed, that bug was regarding intermediate certificates.
Is it necessary?
Probably not.
In the current NSS code, the end-entity cert already has to have the
serverAuth EKU to be recognized for SSL.
So I guess the main thing we want to clarify is regarding intermediate
certificates. In intermediate certificates, we will (for now) recognize
serverAuth or Netscape Server Gated Crypto, but our plan is to
eventually only recognize severAuth.
Has any Mozilla software ever recognized the Microsoft SGC OID and done
anything with it?
As far as I can tell, Mozilla software did not ever pay attention to the
Microsoft SGC OID.
Support for the Netscape SGC OID (SEC_OID_NS_KEY_USAGE_GOVT_APPROVED)
was apparently added in bug #737802.
Do we need to _stop_ people using this OID, or is it sufficient to
merely start to require that people use the correct one (Server Auth)?
We want people to stop using the obsolete Netscape SGC OID.
So, how about if I just add the word "intermediate"?
It'll become:
--
1. Stop using the "Netscape Server Gated Crypto (2.16.840.1.113730.4.1)"
(SGC) EKU. For all new intermediate certificate issuance, use the "TLS
Web Server Authentication (1.3.6.1.5.5.7.3.1)" EKU instead of the SGC EKU.
--
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
