Hi, I'm seeing that the keyAgreement KU bit is not explicitly forbidden for ECDSA TLS certificates (e.g. in the CAB Forum Baseline Requirements or the Mozilla Root Store Policy), but why not considering that this is an enabler for the KCI-based MitM attack described in https://kcitls.org?.
Now, I'm looking that there were already some discussions (e.g. https://archive.cabforum.org/pipermail/public/2016-February/023207.html) on forbidding it, but I'm not really sure of the motivations. Anyway, why it didn't get forbidden back then?. In the other hand, I'm not really sure if there are still some TLS implementations vulnerable to this attack (specially the ones that support fixed (EC)DH client authentication), but given that there might exist some outdated setups, isn't it an unnecesary risk to allow this KU bit for ECDSA certificates?. Finally, if the KU extension is not set at all in the certificate, this attack is still possible so the fact that the BRs make the KU optional might be problematic. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/4b7eac35-6865-4500-8a6f-dae78e95ad02n%40mozilla.org.
