EKUs in Intermediate CAs
181 views
Skip to first unread message
Ben Wilson
Nov 4, 2021, 10:36:27 AM11/4/21
to dev-secur...@mozilla.org
All,
Here is a CCADB report of EKUs in Intermediate CA certificates (a total of 2,962). Each CA certificate is counted only once in the table below. I haven't done any further analysis of these certificates. It is apparent that we need to clean up some of these intermediate CAs by removing trust from some of these CAs, or at least revoking and replacing CA certificates to remove EKUs that conflict with other EKUs. I thought we might have a discussion of this separate from or in addition to our review of GitHub MRSP Policy Issue #228 (Clarify techincally-constrained sub-CA EKUS).
Ben
| Extended Key Usage | |
| Server Authentication | |
| No EKU | 1025 |
| serverAuth | 19 |
| serverAuth,clientAuth | 1058 |
| serverAuth,clientAuth,OCSPSigning | 13 |
| serverAuth,emailProtection | 3 |
| serverAuth,clientAuth,emailProtection | 6 |
| serverAuth,clientAuth,codeSigning | 1 |
| serverAuth,clientAuth,codeSigning,emailProtection,timeStamping | 5 |
| serverAuth,clientAuth,codeSigning,NetscapeSGC | 1 |
| serverAuth,clientAuth,IntelAMTProvisioning | 1 |
| serverAuth,clientAuth,IPSECEndSystem,IPSECTunnel,IPSECUser | 1 |
| serverAuth,clientAuth,IPSECEndSystem,IPSECTunnel,IPSECUser,OCSPSigning,enrollmentAgent | 1 |
| serverAuth,clientAuth,NetscapeSGC,VerisignSGC | 2 |
| NetscapeSGC,VerisignSGC | 1 |
| NetscapeSGC | 1 |
| NetscapeSGC,serverAuth,clientAuth | 4 |
| clientAuth,serverAuth,MicrosoftSGC,NetscapeSGC | 8 |
| ServerAuth Total | 2150 |
| ClientAuth | |
| clientAuth | 48 |
| ClientAuth Total | 48 |
| S/MIME | |
| emailProtection, clientAuth | 319 |
| emailProtection | 18 |
| clientAuth,emailProtection,AuthenticDocumentsTrust | 3 |
| clientAuth,emailProtection,BitLocker,MS-docSigning,EFSRecovery,EFS,Smartcardlogon | 1 |
| clientAuth,emailProtection,caExchange,keyRecoveryAgent | 9 |
| clientAuth,emailProtection,digitalPersona | 1 |
| clientAuth,emailProtection,EFS | 4 |
| clientAuth,emailProtection,EFS,MS-docSigning | 1 |
| clientAuth,emailProtection,EFS,MS-docSigning,Smartcardlogon,PIV-cardAuth,pivi-content-signing | 1 |
| clientAuth,emailProtection,EFS,Smartcardlogon | 2 |
| clientAuth,emailProtection,EFS,Smartcardlogon,MS-docSigning,AuthenticDocumentsTrust | 5 |
| clientAuth,emailProtection,EFSRecovery,EFS,Smartcardlogon | 2 |
| clientAuth,emailProtection,IPSECUser,EFS,EFSRecovery,MSkeyRecovery,enrollmentAgent,Smartcardlogon,PASSIM | 1 |
| clientAuth,emailProtection,IPSECUser,Smartcardlogon,EFS,keyRecoveryAgent,MS-docSigning,ipsecIKE | 1 |
| clientAuth,emailProtection,MS-docSigning | 41 |
| clientAuth,emailProtection,MS-docSigning,AuthenticDocumentsTrust,Smartcardlogon | 1 |
| clientAuth,emailProtection,MS-docSigning,EFS | 3 |
| clientAuth,emailProtection,MS-docSigning,EFS,Smartcardlogon | 1 |
| clientAuth,emailProtection,MS-docSigning,Entrust-docSigning | 1 |
| clientAuth,emailProtection,Smartcardlogon | 4 |
| clientAuth,emailProtection,Smartcardlogon,EFS,EFSRecovery,BitLocker | 1 |
| emailProtection,BitLocker,EFSRecovery,EFS | 1 |
| emailProtection,caExchange | 1 |
| emailProtection,caExchange,keyRecoveryAgent | 10 |
| emailProtection,clientAuth,EntrustEvent,EntrustUnknown,Smartcardlogon | 1 |
| emailProtection,clientAuth,IPSECUser,EFS,EFSRecovery,MSkeyRecovery,enrollmentAgent,Smartcardlogon,PASSIM | 1 |
| emailProtection,clientAuth,Smartcardlogon,EFS,EFSRecovery,BitLocker | 1 |
| emailProtection,clientAuth,Smartcardlogon,MS-docSigning | 1 |
| emailProtection,MS-docSigning | 3 |
| emailProtection,MS-docSigning,AuthenticDocumentsTrust | 6 |
| S/MIME Total | 445 |
| Code Signing | |
| codeSigning | 163 |
| codeSigning,kernelModeCS | 2 |
| codeSigning,msCodeCom | 1 |
| codeSigning,OCSPSigning | 6 |
| codeSigning,Symantec-EKUs | 1 |
| codeSigning,timeStamping | 5 |
| clientAuth,codeSigning | 7 |
| clientAuth,codeSigning,emailProtection,timeStamping,MS-docSigning,AuthenticDocumentsTrust | 1 |
| Code Signing Total | 186 |
| Document Signing (not including S/MIME CAs) | |
| MS-docSigning | 1 |
| MS-docSigning,AuthenticDocumentsTrust | 17 |
| AuthenticDocumentsTrust | 10 |
| AuthenticDocumentsTrust,MS-docSigning | 3 |
| clientAuth,AuthenticDocumentsTrust | 2 |
| clientAuth,AuthenticDocumentsTrust,MS-docSigning | 3 |
| clientAuth,Smartcardlogon,AuthenticDocumentsTrust | 2 |
| Document Signing Total | 38 |
| CAs with OCSP Signing EKU (not including serverAuth CAs) | |
| OCSPSigning,clientAuth,emailProtection | 6 |
| emailProtection,clientAuth,OCSPSigning,IPSECUser,EFS,EFSRecovery,MSkeyRecovery,enrollmentAgent,PASSIM | 1 |
| clientAuth,emailProtection,OCSPSigning,eapOverLAN,EFS,EFSRecovery,MSkeyRecovery,enrollmentAgent,PASSIM | 1 |
| clientAuth,emailProtection,OCSPSigning,EFS,EFSRecovery,MSkeyRecovery,enrollmentAgent,Smartcardlogon,PASSIM | 2 |
| clientAuth,emailProtection,OCSPSigning,MS-docSigning | 3 |
| clientAuth,emailProtection,OCSPSigning,MS-docSigning,EFS | 14 |
| timeStamping,OCSPSigning | 4 |
| timeStamping,OCSPSigning,AuthenticDocumentsTrust | 1 |
| OCSP Signing Total | 32 |
| Time Stamping (not including CAs with codesigning or OCSP Signing EKUs) | |
| timeStamping | 56 |
| timeStamping,AuthenticDocumentsTrust | 2 |
| clientAuth,timeStamping | 1 |
| clientAuth,emailProtection,timeStamping | 2 |
| clientAuth,emailProtection,timeStamping,AuthenticDocumentsTrust,MS-docSigning | 1 |
| Time Stamping Total | 62 |
| Miscellaneous | |
| BrandIndicatorforMessageID | 1 |
| Miscellaneous Total | 1 |
| Grand Total | 2962 |
Ben Wilson
Nov 4, 2021, 3:44:57 PM11/4/21
to dev-secur...@mozilla.org
Here is another CCADB report (Derived Trust Bits from Microsoft and Mozilla). While it additionally contains expired certificates (this is a list of 4,731 CA certificates), I think we can review it and again make a similar conclusion that we can try and reduce the number of conflicting/inconsistent EKUs trusted for these intermediate CAs.
| Derived Trust Bits | Total |
| Server Authentication | |
| No EKU | 596 |
| serverAuth | 38 |
| serverAuth;clientAuth | 1106 |
| serverAuth;clientAuth;codeSigning | 5 |
| clientAuth;emailProtection;OCSP Signing;serverAuth;docSign | 1 |
| serverAuth;clientAuth;emailProtection | 763 |
| serverAuth;clientAuth;codeSigning;docSign;EFS;emailProtection;timeStamping | 19 |
| serverAuth;clientAuth;codeSigning;docSign;IPSEC-IKE-interm;emailProtection;timeStamping | 8 |
| serverAuth;clientAuth;codeSigning;docSign;emailProtection;timeStamping | 63 |
| serverAuth;clientAuth;codeSigning;EFS;IPSEC-IKE-interm;IPSEC-tunnel-term;IPSEC-user;emailProtection;timeStamping | 25 |
| serverAuth;clientAuth;codeSigning;EFS;IPSEC-IKE-interm;IPSEC-tunnel-term;IPSEC-user;emailProtection;timeStamping;docSign | 1 |
| serverAuth;clientAuth;codeSigning;EFS;IPSEC-tunnel-term;IPSEC-user;emailProtection;timeStamping | 153 |
| serverAuth;clientAuth;codeSigning;EFS;IPSEC-tunnel-term;IPSEC-user;emailProtection;timeStamping;docSign | 8 |
| serverAuth;clientAuth;codeSigning;IPSEC-IKE-interm;IPSEC-tunnel-term;IPSEC-user;emailProtection;timeStamping | 11 |
| serverAuth;clientAuth;codeSigning;IPSEC-IKE-interm;emailProtection;timeStamping | 3 |
| serverAuth;clientAuth;codeSigning;IPSEC-tunnel-term;IPSEC-user;emailProtection;timeStamping | 104 |
| serverAuth;clientAuth;codeSigning;IPSEC-tunnel-term;IPSEC-user;emailProtection;timeStamping;EFS | 9 |
| serverAuth;clientAuth;codeSigning;OCSP Signing;emailProtection;timeStamping | 21 |
| serverAuth;clientAuth;codeSigning;emailProtection | 23 |
| serverAuth;clientAuth;codeSigning;emailProtection;EFS;IPSEC-tunnel-term;IPSEC-user;timeStamping | 4 |
| serverAuth;clientAuth;codeSigning;emailProtection;timeStamping | 217 |
| serverAuth;clientAuth;docSign | 2 |
| serverAuth;clientAuth;docSign;EFS;emailProtection;timeStamping | 7 |
| serverAuth;clientAuth;docSign;EFS;timeStamping | 1 |
| serverAuth;clientAuth;docSign;emailProtection | 23 |
| serverAuth;clientAuth;docSign;emailProtection;timeStamping | 30 |
| serverAuth;clientAuth;docSign;emailProtection;timeStamping;IPSEC-IKE-interm | 1 |
| serverAuth;clientAuth;EFS;IPSEC-IKE-interm;IPSEC-tunnel-term;IPSEC-user;emailProtection;timeStamping | 1 |
| serverAuth;clientAuth;EFS;IPSEC-tunnel-term;IPSEC-user;emailProtection;timeStamping | 43 |
| serverAuth;clientAuth;EFS;emailProtection;timeStamping | 2 |
| serverAuth;clientAuth;IPSEC-end-system;IPSEC-tunnel-term;IPSEC-user | 1 |
| serverAuth;clientAuth;IPSEC-end-system;IPSEC-tunnel-term;IPSEC-user;OCSP Signing | 1 |
| serverAuth;clientAuth;IPSEC-IKE-interm;IPSEC-tunnel-term;IPSEC-user;emailProtection | 4 |
| serverAuth;clientAuth;IPSEC-IKE-interm;IPSEC-tunnel-term;IPSEC-user;emailProtection;timeStamping | 2 |
| serverAuth;clientAuth;IPSEC-IKE-interm;emailProtection;timeStamping | 5 |
| serverAuth;clientAuth;IPSEC-IKE-interm;emailProtection;timeStamping;docSign | 2 |
| serverAuth;clientAuth;OCSP Signing | 10 |
| serverAuth;clientAuth;emailProtection;codeSigning;timeStamping | 1 |
| serverAuth;clientAuth;emailProtection;timeStamping | 68 |
| serverAuth;clientAuth;emailProtection;timeStamping;docSign | 2 |
| serverAuth;emailProtection | 19 |
| serverAuth Total | 3403 |
| clientAuth | 128 |
| clientAuth Total | 128 |
| S/MIME | |
| emailProtection | 34 |
| clientAuth;emailProtection | 580 |
| emailProtection;clientAuth;docSign | 65 |
| emailProtection;clientAuth;EFS | 5 |
| emailProtection;clientAuth;IPSEC-user;EFS | 1 |
| emailProtection;docSign | 9 |
| clientAuth;emailProtection;docSign;EFS | 8 |
| clientAuth;emailProtection;IPSEC-user;EFS | 1 |
| clientAuth;emailProtection;IPSEC-user;EFS;docSign | 1 |
| clientAuth;docSign;IPSEC-tunnel-term;IPSEC-user;emailProtection | 4 |
| clientAuth;emailProtection;timeStamping | 30 |
| clientAuth;emailProtection;timeStamping;docSign | 1 |
| S/MIME Total | 739 |
| Code Signing (not including serverAuth CAs) | |
| codeSigning | 176 |
| codeSigning;clientAuth | 15 |
| codeSigning;OCSP Signing | 6 |
| codeSigning;emailProtection;timeStamping;docSign | 2 |
| codeSigning;serverAuth;clientAuth;emailProtection;timeStamping | 1 |
| codeSigning;timeStamping | 5 |
| clientAuth;codeSigning;emailProtection | 91 |
| clientAuth;codeSigning;emailProtection;timeStamping | 45 |
| clientAuth;codeSigning;emailProtection;timeStamping;docSign | 1 |
| clientAuth;codeSigning;emailProtection;timeStamping;serverAuth;EFS;IPSEC-tunnel-term;IPSEC-user | 2 |
| Code Signing Total | 344 |
| Document Signing | |
| docSign | 21 |
| clientAuth;docSign | 3 |
| Document Signing Total | 24 |
| OCSP Signing | |
| OCSP Signing;clientAuth;emailProtection | 6 |
| timeStamping;OCSP Signing | 5 |
| clientAuth;emailProtection;OCSP Signing;docSign | 3 |
| OCSP Signing Total | 14 |
| Time Stamping | |
| timeStamping | 59 |
| clientAuth;timeStamping | 1 |
| clientAuth;docSign;emailProtection;timeStamping | 3 |
| clientAuth;EFS;IPSEC-IKE-interm;IPSEC-tunnel-term;IPSEC-user;emailProtection;timeStamping;IPSEC-end-system | 1 |
| clientAuth;EFS;IPSEC-tunnel-term;IPSEC-user;emailProtection;timeStamping | 15 |
| Time Stamping Total | 79 |
| Total | 4731 |
Ben Wilson
Nov 10, 2021, 4:22:02 PM11/10/21
to dev-secur...@mozilla.org
All,
I haven't done a deep-dive into these lists to determine which CAs may have expired/been revoked, or to analyze whether these might have
sets of inconsistent EKUs, or whether they pre-date newer EKU requirements. However, there appear to be several CAs with the OCSP-signing EKU/trust bit. Shouldn't those CAs with that EKU/trust bit have the no-check extension?
Again, I haven't checked. And isn't that EKU supposed to be used mainly with delegated OCSP responders and not with CAs? I recall that some of these issues were discussed last year. See https://groups.google.com/g/mozilla.dev.security.policy/c/EzjIkNGfVEE/m/XSfw4tZPBwAJ.
Thanks,
Ben
Reply all
Reply to author
Forward
0 new messages