Hi, I'm seeing that the keyAgreement KU bit is not explicitly forbidden for ECDSA TLS certificates (e.g. in the CAB Forum Baseline Requirements or the Mozilla Root Store Policy), but why not considering that this is an enabler for the KCI-based MitM attack described in
https://kcitls.org?.
In the other hand, I'm not really sure if there are still some TLS implementations vulnerable to this attack (specially the ones that support fixed (EC)DH client authentication), but given that there might exist some outdated setups, isn't it an unnecesary risk to allow this KU bit for ECDSA certificates?.
Finally, if the KU extension is not set at all in the certificate, this attack is still possible so the fact that the BRs make the KU optional might be problematic.