At 11:39 PM +0100 3/1/08, Jean-Marc Desperrier wrote:
>Nelson Bolyard a écrit :
>> Every root CA has EKU info associated with it, limiting the applications
>> for that CA.
>
> From their document :
>"We will attach EKU metadata to the certificate as metadata in the
>Windows certificate store so you do not need to regenerate your root
>certificate with the EKU extension."
>
>This is a good thing they also do it that way, because the mechanism of
>setting some EKU values on a CA certificate that are intended to serve
>as a constraint limiting the allowed EKU on the End Entity certificates
>under it is *not* PKIX/X.509 compliant. An EKU applies to *the* cert
>that contains it, and the meaning of setting a SSL client/SSL server EKU
>to a CA cert is unclear, at best (under a strict, to the letter reading,
>it should make that cert unusable).
>
>Whereas RFC3280 also says that it's OK when needed to use application
>specific data to further constrain path validation.
What the new version of RFC 3280 says is:
4.2.1.12 Extended Key Usage
This extension indicates one or more purposes for which the certified
public key may be used, in addition to or in place of the basic
purposes indicated in the key usage extension. In general, this
extension will appear only in end entity certificates.
The first sentence means that EKUs are for the keys in the cert, not
below the cert in a chain. The second sentence emphasizes that.
This is in opposition to the sentence from the new (and maybe old)
Microsoft root policy that says "EKUs in Windows are inherited from
the root certificate down to the end entity certificate. This ensures
certificates issued by any CA under this root can only be used for
the stated list of usages."
I have asked for clarification from a PKIX expert at Microsoft. I'm
hoping that this quoted sentence and others like it are not what they
mean.
--Paul Hoffman
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
