On 14/5/2024 5:58 μ.μ., Aaron Gable wrote:
On Tue, May 14, 2024, 02:33 Dimitris Zacharopoulos (HARICA) via
Servercert-wg <[email protected]> wrote:
Is it ok for such an Issuing CA to create a single-purpose client
authentication TLS Certificate, one that is structured according
to RFC 5280 (thus can be successfully parsed by Relying Party RFC
5280-conformant software), contains an extKeyUsage extension which
contains the /id-kp-clientAuth/ and DOES NOT include the
/id-kp-serverAuth/ KeyPurposeId?
Speaking in a personal capacity, it is my opinion that no, such
issuance is not acceptable.
I agree that the resulting end-entity client-auth-only certificate is
out of scope of the BRs, and is not in and of itself misissued.
However, the issuing intermediate itself is still in scope of the BRs,
and its behavior can be contained by them. By virtue of issuing the
clientAuth cert, the issuing intermediate has violated the BRs
requirement that "all certificates that it issues MUST comply with one
of the following certificate profiles".
One could even argue that, having issued a certificate which does not
comply with a BR profile, the issuing intermediate must be revoked
within 7 days, per BRs Section 4.9.1.2 (5): "The Issuing CA SHALL
revoke a Subordinate CA Certificate [if...] the Issuing CA is made
aware that the... Subordinate CA has not complied with this document".
Aaron
Thanks Aaron, I tried to first establish the /intent/ of the group
before digging in the actual BRs. If we agree that the intent was to
place rules only for Server TLS leaf Certificates but not for Client TLS
Certificates, then we need to acknowledge that, and work within the
document to fix any conflicts.
Dimitris.
_______________________________________________
Servercert-wg mailing list
[email protected]
https://lists.cabforum.org/mailman/listinfo/servercert-wg
