On 06/07/2020 06:11, Dimitris Zacharopoulos via dev-security-policy wrote:
IETF made an attempt to set an extention for EKU constraints
where Rob Stradling made an indirect reference in
(Rob, please correct me if I'm wrong).

There was a follow-up discussion in IETF that resulted that noone should
deal with this issue
A day later, all attempts died off because noone would actually
implement this(?)
If this extension was standardized, we would probably not be having this
issue right now. However, this entire topic demonstrates the necessity
to standardize the EKU existence in CA Certificates as constraints for
EKUs of leaf certificates.

If only we could edit RFC2459 so that it (1) defined an "EKU constraints" extension and (2) said that the EKU extension MUST NOT appear in CA certificates...

Unfortunately, we're more than 20 years too late to do that. And whilst it completely sucks that real-world use of the EKU extension comes with some nasty footguns, I just don't see how you'd ever persuade the WebPKI ecosystem to adopt a new "EKU Constraints" extension at this point in history.

Rob Stradling
Senior Research & Development Scientist
Sectigo Limited

dev-security-policy mailing list

Reply via email to