On Tue, Nov 8, 2016 at 11:58 PM, Gervase Markham <[email protected]> wrote:
> At the moment, Firefox recognises an EE cert as a server cert if it has > an EKU extension with id-kp-serverAuth, or if it has no EKU at all. > The EKU extension indicates the limits of the key usage. A certificate without an EKU extension has no limits on its key usage. In particular, when no EKU is present, id-kp-serverAuth is allowed, as far as the CA is concerned. Many X.509 features are defined this way, where the default is "no limit"--pretty much all of them. The advantage of omitting these extensions is that the resulting certificates are smaller. Smaller certificates are better. Therefore, Mozilla should encourage behaviors that result in smaller certificates, including in particular omitting the EKU extension and other extensions where the defaults "work." The problem is that CAB Forum stuff is defined in terms of "intended for," which is different than "trusted for." So, for example, some CAs have argued that they issue certificates that say they are trusted for id-kp-serverAuth (because they have no EKU), but since they're not "intended for" id-kp-serverAuth, the baseline requirements don't apply to them. The solution to this problem is to get rid of the idea of "intent" from the CA policy (including the baseline requirements, or in spit of the BRs if the BRs cannot be changed), so that all that matters is the RFC 5280 "trusted for" semantics. So, it is now possible to change Firefox to mandate the presence of > id-kp-serverAuth for EE server certs from Mozilla-trusted roots? Or is > there some reason I've missed we can't do that? > I'd like to point out that I've given the above explanation to you multiple times. > The advantage of doing this is that it makes it much easier to scope our > root program to avoid capturing certs it's not meant to capture. > This is not true. Since no EKU extension implies id-kp-serverAuth, certs without an EKU extension or with an EKU extension containing id-kp-serverAuth or anyExtendedKeyUsage (even though Firefox doesn't support that) should be within the scope of the program. You simply need to define the scope of the program in terms of the **technical** semantics. Cheers, Brian _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
