On Mon, Mar 08, 2021 at 01:19:46PM +0000, Neil Madden wrote: > > > > On 8 Mar 2021, at 12:50, Neil Madden <[email protected]> wrote: > > > > An interesting question was raised by our developers around the > > interpretation of JWK “use” and “key_ops” constraints when publishing a > > self-signed certificate for mTLS client authentication. In X.509 the > > KeyUsage extension distinguishes between keys intended for use for > > verifying general signatures (digitalSignature) and those used for > > verifying signatures on certificates (keyCertSign). The JWK spec doesn’t > > make this distinction, so there is only the generic “use”:”sig” and > > “key_ops”: [“verify”] indicators. So, is “use”:”sig” (or > > “key_ops”:[“verify”]) compatible with publishing an X.509 certificate (x5c > > claim) that asserts KeyUsage keyCertSign? > > > > It seems plausible that an application might also choose to consume CA > > certificates from a central certificate management service that publishes > > them in JWK format on an internal HTTPS endpoint. So this question is > > potentially broader than just self-signed certs, although that is the only > > case discussed in RFC 8705. > > > > In the course of trying to answer this question, I came across > > https://github.com/openssl/openssl/issues/1418 > > <https://github.com/openssl/openssl/issues/1418> which has links to various > > relevant RFCs in the discussion. The conclusion appears to be that when > > processing self-signed certificates the KeyUsage check should be skipped. > > The reasoning appears to be that we don’t want self-signed certs to assert > > the keyCertSign bit, because this increases the risk of them being mistaken > > for genuine CA certs. In fact, the language from RFC 5280 suggests this > > check should be skipped for any trust anchor, whether self-signed or not. > > I have this part backwards - RFC 5280 path validation skips the KeyUsage > check for the end-entity certificate, not the trust anchor cert. This makes > more sense. The rest of my comments/questions still apply though.
You do still want to use keyUsage/extendedKeyUsage checks for the end-entity certificate; it's just that that's part of the application's verification logic rather than path validation. (E.g., draft-ietf-dtn-tcpclv4-26 provides for a id-kp-bundleSecurity EKU that gives more authorization than just id-kp-serverAuth.) My understanding is that JWK was attempting to be much simpler and lighter weight than PKIX and thus didn't really envision JWKs signing X.509 objects at all (if I am understanding the questions properly). Generally, if you are trusting a self-signed certificate, the act of trusting it would also cover whatever purpose you plan to put it towards, so any asserted authorizations such as key usage values in the self-signed certificate object itself are superfluous, so We could also pull in the PKIX experts for another opinion, if you want. Typically we reach out to the LAMPS WG for that (spasm@) at this point. -Ben _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
