Policy 2.8: MRSP Issue #228: Clarify technically-constrained sub-CA EKUs
Ben Wilson
MUST contain an EKU extension; and,
MUST NOT include the anyExtendedKeyUsage KeyPurposeId; and,
MUST NOT include both the id-kp-serverAuth and id-kp-emailProtection KeyPurposeIds in the same certificate.”
Also, in MRSP section 5.3.1, we should cross-reference section 7.1.2.2.g. of the Baseline Requirements, which says:
For Subordinate CA Certificates that will be used to issue TLS certificates, the value id-kp-serverAuth [RFC5280] MUST be present. The value id-kp-clientAuth [RFC5280] MAY be present. The values id-kp-emailProtection [RFC5280], id-kp-codeSigning [RFC5280], id-kp-timeStamping [RFC5280], and anyExtendedKeyUsage [RFC5280] MUST NOT be present. Other values SHOULD NOT be present.
For Subordinate CA Certificates that are not used to issue TLS certificates, then the value id-kp-serverAuth [RFC5280] MUST NOT be present. Other values MAY be present, but SHOULD NOT combine multiple independent key purposes (e.g. including id-kp-timeStamping [RFC5280] with id-kp-codeSigning [RFC5280]).
Finally, for your additional reference and consideration, the remainder of MRSP section 5.3.1 currently says,
If the certificate includes the id-kp-serverAuth extended key usage, then to be considered technically constrained, the certificate MUST be Name Constrained as described in section 7.1.5 of version 1.3 or later of the Baseline Requirements. The conformance requirements defined in section 2.3 of this policy also apply to technically constrained intermediate certificates.
If the certificate includes the id-kp-emailProtection extended key usage, then to be considered technically constrained, it MUST include the Name Constraints X.509v3 extension with constraints on rfc822Name, with at least one name in permittedSubtrees, each such name having its ownership validated according to section 3.2.2.4 of the Baseline Requirements.
Thoughts?
Thanks,
Ben
Ryan Sleevi
I am proposing that we replace the sentence above with, "A technically constrained intermediate CA certificate uses a specific Extended Key Usage (EKU) [hyperlink to RFC 5280] to limit the scope of certificates that the CA may issue." I'm open to suggestions on alternative wording.I am also thinking that we can delete the subsequent sentence that reads, "The anyExtendedKeyUsage KeyPurposeId MUST NOT appear within this extension" because MRSP section 5.3 already says this.
Also, in MRSP section 5.3.1, we should cross-reference section 7.1.2.2.g. of the Baseline Requirements, which says:
For Subordinate CA Certificates that will be used to issue TLS certificates, the value id-kp-serverAuth [RFC5280] MUST be present. The value id-kp-clientAuth [RFC5280] MAY be present. The values id-kp-emailProtection [RFC5280], id-kp-codeSigning [RFC5280], id-kp-timeStamping [RFC5280], and anyExtendedKeyUsage [RFC5280] MUST NOT be present. Other values SHOULD NOT be present.
For Subordinate CA Certificates that are not used to issue TLS certificates, then the value id-kp-serverAuth [RFC5280] MUST NOT be present. Other values MAY be present, but SHOULD NOT combine multiple independent key purposes (e.g. including id-kp-timeStamping [RFC5280] with id-kp-codeSigning [RFC5280]).
Ben Wilson
On Tue, Oct 19, 2021 at 6:33 PM Ben Wilson <bwi...@mozilla.com> wrote:I am proposing that we replace the sentence above with, "A technically constrained intermediate CA certificate uses a specific Extended Key Usage (EKU) [hyperlink to RFC 5280] to limit the scope of certificates that the CA may issue." I'm open to suggestions on alternative wording.I am also thinking that we can delete the subsequent sentence that reads, "The anyExtendedKeyUsage KeyPurposeId MUST NOT appear within this extension" because MRSP section 5.3 already says this.I don't think you want to delete this sentence. Section 5.3 permits anyEKU for cross-certificates operated by a different entity, and thus it seems quite likely that some CA would mistakenly believe that anyEKU represents a "specific EKU", and thus argue that the cross-certificate is technically constrained, and thus doesn't need audits, because it as _an_ EKU.This may seem a tortured reading, but recall that CAs have misunderstand a critical extension for the (previous) definition of Test Certificate [1][2], and we continue to see CAs fail to properly encode DER [3] (a requirement since V1 of Mozilla Policy [4]), so it seems it's necessary to be unambiguously explicit where a CA may misunderstand a requirement.
Also, in MRSP section 5.3.1, we should cross-reference section 7.1.2.2.g. of the Baseline Requirements, which says:
For Subordinate CA Certificates that will be used to issue TLS certificates, the value id-kp-serverAuth [RFC5280] MUST be present. The value id-kp-clientAuth [RFC5280] MAY be present. The values id-kp-emailProtection [RFC5280], id-kp-codeSigning [RFC5280], id-kp-timeStamping [RFC5280], and anyExtendedKeyUsage [RFC5280] MUST NOT be present. Other values SHOULD NOT be present.
For Subordinate CA Certificates that are not used to issue TLS certificates, then the value id-kp-serverAuth [RFC5280] MUST NOT be present. Other values MAY be present, but SHOULD NOT combine multiple independent key purposes (e.g. including id-kp-timeStamping [RFC5280] with id-kp-codeSigning [RFC5280]).
It would appear your proposal is to be explicitly stronger than the BRs requirement: the MAY/SHOULD NOT regarding multiple EKUs become a MUST NOT. This is definitely a good change that will improve security, but by cross-referencing the BRs here, it would arguably make that ambiguous, as it would suggest multiple constrained EKUs are permissible.Is the intent to allow multiple EKUs (for non-TLS) or not? If not, then it seems important to avoid introducing ambiguity by referencing the BRs, unless it's to highlight Mozilla Policy is intentionally (and for good reason) more restrictive.
Ben Wilson
Ryan Sleevi
Since the plural is used in that sentence (all extended key usages), this sounds like – in the case of a Technically Constrained CA – it is allowed for the EKU to contain more than one key usage, otherwise the use of the plural seems weird. We see that this interpretation conflicts with the provisions of the BR (from v1.7.1), however we believe that the current wording of the MRSP 5.3.1 may have been a source of confusion, contributing to the occurrence of the problem.
It seems that it would be useful to clarify the language, in both the BRs and Mozilla Policy, to consistently discourage multiple usages within technically constrained sub-CAs.
Ben Wilson
Corey Bonnell
> I'm accepting your suggestion and phrasing it, "CAs SHOULD NOT include more than a single KeyPurposeID in the EKU extension."
This is quite a bit more onerous than the current BRs, which explicitly allow for id-kp-clientAuth to be included alongside id-kp-serverAuth. Is the deprecation of id-kp-clientAuth KP in serverAuth TLS certificates intentional?
Thanks,
Corey
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaa4J_N_hp9yDye9ows9M09qu_JeErQivykVOrvEhSGQDw%40mail.gmail.com.
Ryan Sleevi
> I'm accepting your suggestion and phrasing it, "CAs SHOULD NOT include more than a single KeyPurposeID in the EKU extension."
This is quite a bit more onerous than the current BRs, which explicitly allow for id-kp-clientAuth to be included alongside id-kp-serverAuth. Is the deprecation of id-kp-clientAuth KP in serverAuth TLS certificates intentional?
there may exist valid reasons in particular circumstances when the
particular behavior is acceptable or even useful, but the full
implications should be understood and the case carefully weighed
Ben Wilson
Corey Bonnell
> I'm not sure I follow? A SHOULD NOT is not any more onerous, as it's not a prohibition.
BR 7.1.2.2 (g) currently reads:
“For Subordinate CA Certificates that will be used to issue TLS certificates, the value id-kp-serverAuth [RFC5280] MUST be present. The value id-kp-clientAuth [RFC5280] MAY be present”.
The current proposed Mozilla Policy text essentially changes the MAY to a SHOULD NOT. While not a concrete prohibition, it is certainly more onerous/strict than the BRs. As you know and from the RFC 2119 text you quoted, “SHOULD NOTs” are indicative of some practice that Root Programs generally frown upon, which is why I brought this up.
Thanks,
Corey
From: dev-secur...@mozilla.org <dev-secur...@mozilla.org> On Behalf Of Ryan Sleevi
Sent: Monday, November 1, 2021 3:38 PM
To: Corey Bonnell <Corey....@digicert.com>
Cc: Ben Wilson <bwi...@mozilla.com>; Ryan Sleevi <ry...@sleevi.com>; dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: Re: Policy 2.8: MRSP Issue #228: Clarify technically-constrained sub-CA EKUs
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHG_uZACuiDQNM9ubqctOv5er9h3Y3nQQy7CaoanTwBF1Q%40mail.gmail.com.
Ryan Sleevi
> I'm not sure I follow? A SHOULD NOT is not any more onerous, as it's not a prohibition.
BR 7.1.2.2 (g) currently reads:
“For Subordinate CA Certificates that will be used to issue TLS certificates, the value id-kp-serverAuth [RFC5280] MUST be present. The value id-kp-clientAuth [RFC5280] MAY be present”.
The current proposed Mozilla Policy text essentially changes the MAY to a SHOULD NOT. While not a concrete prohibition, it is certainly more onerous/strict than the BRs. As you know and from the RFC 2119 text you quoted, “SHOULD NOTs” are indicative of some practice that Root Programs generally frown upon, which is why I brought this up.
Ben Wilson
Ben Wilson
Ben Wilson
Dimitris Zacharopoulos
I am having trouble understanding the following phrase under 4.
"that are not inconsistent with id-kp-emailProtection"
and I'm not sure if it is because of a double negative or something else missing. Ben, or anyone, can you please share some examples of "consistent" and "inconsistent" EKUs with id-kp-emailProtection to make this requirement a bit more clear?
1. and 3. are already covered in 4. You use "encourage" to recommend something. I suggest we avoid using RFC 2119 specific terms like "SHOULD NOT" if it is just to "encourage" a practice.
In order to have some symmetry between the email and server certificates, I made an attempt to consolidate the information. Here is a proposed change:
Current section 5.3.1 text:
"We encourage CAs to technically constrain all intermediate certificates. For a certificate to be considered technically constrained, the certificate MUST include an Extended Key Usage (EKU) extension specifying all extended key usages that the subordinate CA is authorized to issue certificates for. The anyExtendedKeyUsage KeyPurposeId MUST NOT appear within this extension.
If the certificate includes the id-kp-serverAuth extended key usage, then to be considered technically constrained, the certificate MUST be Name Constrained as described in section 7.1.5 of version 1.3 or later of the Baseline Requirements. The conformance requirements defined in section 2.3 of this policy also apply to technically constrained intermediate certificates.
If the certificate includes the id-kp-emailProtection extended key usage, then to be considered technically constrained, it MUST include the Name Constraints X.509v3 extension with constraints on rfc822Name, with at least one name in permittedSubtrees, each such name having its ownership validated according to section 3.2.2.4 of the Baseline Requirements."
Suggested text:
"We encourage CAs to technically constrain all intermediate certificates. For a CA certificate to be considered technically constrained for email certificates, the CA certificate:
- MUST include an Extended Key Usage
(EKU) extension that includes the
id-kp-emailProtection KeyPurposeID. The values id-kp-serverAuth,
id-kp-codeSigning, id-kp-timeStamping, and anyExtendedKeyUsage
MUST NOT be present. The value id-kp-clientAuth MAY be present.
Other values that the CA is allowed to use, and that are
documented in the CA’s CPS MAY be present, and;
- MUST include a Name Constraints X.509v3 extension with constraints on rfc822Name values, with at least one name in permittedSubtrees, each such name having its ownership validated according to section 3.2.2.4 of the Baseline Requirements.
For a CA certificate to be considered technically
constrained for server certificates, the CA certificate:
- MUST include an Extended Key Usage
(EKU) extension that includes the id-kp-serverAuth
KeyPurposeID. The values id-kp-emailProtection,
id-kp-codeSigning, id-kp-timeStamping, and anyExtendedKeyUsage
MUST NOT be present. The value id-kp-clientAuth MAY be present.
Other values that the CA is allowed to use, and that are
documented in the CA’s CPS MAY be present, and;
- MUST include a Name Constraints X.509v3 extension with constraints as described in section 7.1.5 of version 1.3 or later of the Baseline Requirements.
We encourage CAs not to include more than a single KeyPurposeID in the EKU extension."
Thank you,
Dimitris.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYyDqCvrD0F5VKq%2BJm4NeBCh73O0mX48MoabxWS3rqWpA%40mail.gmail.com.
Dimitris Zacharopoulos
I am having trouble understanding the following phrase under 4.
"that are not inconsistent with id-kp-emailProtection"
and I'm not sure if it is because of a double negative or something else missing. Ben, or anyone, can you please share some examples of "consistent" and "inconsistent" EKUs with id-kp-emailProtection to make this requirement a bit more clear?
1. and 3. are already covered in 4. You use "encourage" to recommend something. I suggest we avoid using RFC 2119 specific terms like "SHOULD NOT" if it is just to "encourage" a practice.
In order to have some symmetry between the email and server certificates, I made an attempt to consolidate the information. Here is a proposed change:
Current section 5.3.1 text:
"We encourage CAs to technically constrain all intermediate certificates. For a certificate to be considered technically constrained, the certificate MUST include an Extended Key Usage (EKU) extension specifying all extended key usages that the subordinate CA is authorized to issue certificates for. The anyExtendedKeyUsage KeyPurposeId MUST NOT appear within this extension.
If the certificate includes the id-kp-serverAuth extended key usage, then to be considered technically constrained, the certificate MUST be Name Constrained as described in section 7.1.5 of version 1.3 or later of the Baseline Requirements. The conformance requirements defined in section 2.3 of this policy also apply to technically constrained intermediate certificates.
If the certificate includes the id-kp-emailProtection extended key usage, then to be considered technically constrained, it MUST include the Name Constraints X.509v3 extension with constraints on rfc822Name, with at least one name in permittedSubtrees, each such name having its ownership validated according to section 3.2.2.4 of the Baseline Requirements."
Suggested text:
"We encourage CAs to technically constrain all
intermediate certificates. For a CA certificate to be considered
technically constrained for email certificates, one of
the following options must be fulfilled:
Option A) The CA Certificate MUST include an Extended Key Usage (EKU) extension
that SHALL NOT include the id-kp-emailProtection or the anyExtendedKeyUsage
KeyPurposeID; or
- MUST include an Extended Key Usage (EKU) extension that SHALL include the id-kp-emailProtection KeyPurposeID. The values id-kp-serverAuth, id-kp-codeSigning, id-kp-timeStamping, and anyExtendedKeyUsage MUST NOT be present. The value id-kp-clientAuth MAY be present. Other values that the CA is allowed to use, and that are documented in the CA’s CPS MAY be present, and;
- MUST include a Name Constraints X.509v3 extension with constraints on rfc822Name values, with at least one name in permittedSubtrees, each such name having its ownership validated according to section 3.2.2.4 of the
For a CA certificate to be considered technically
constrained for server certificates, one of the
following options must be fulfilled:
Option A) The CA Certificate MUST include an Extended Key Usage (EKU) extension that SHALL NOT include the id-kp-serverAuth or the anyExtendedKeyUsage KeyPurposeID; or
Option B) The CA Certificate
Ben Wilson
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/a8ca2462-41ce-34c0-f5bc-b1e6557dd355%40it.auth.gr.