[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Absent keyUsage in certificates

To: "Peter Gutmann" <pgut001@xxxxxxxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>, <sroberts@xxxxxxxxxxxx>
Subject: RE: Absent keyUsage in certificates
From: "Stefan Santesson" <stefans@xxxxxxxxxxxxx>
Date: Fri, 10 Jun 2005 13:09:57 +0100
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AcVtqA/ZSroWBA6YS7qPbznthJoSjQACjJAg
Thread-topic: Absent keyUsage in certificates

Peter, 

I don't like this text based on principles.

An absent extension by itself does not provide any specific information
at all. 

An absent extension only means that this information, constraints,
guidance is not present.

In order for any thing "absent" to have a meaning, there must be a
default definition and in a way I could agree that the default usage for
a cert is unrestricted. But then again, there are so many other ways to
restrict the usage, that it is impossible to generally assume a default
state just considering an absent key usage extension.

There is also difference in what we require a CA to set and what a
client should accept. Just because a compliant CA must set the cert
signing key in a CA cert does not mean that my clients can't accept a CA
cert that has an absent key usage extension (e.g. accepting a V1 CA
cert).

Stefan Santesson
Program Manager, Standards Liaison
Windows Security

> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx
[mailto:owner-ietf-pkix@xxxxxxxxxxxx]
> On Behalf Of Peter Gutmann
> Sent: den 10 juni 2005 11:39
> To: ietf-pkix@xxxxxxx; sroberts@xxxxxxxxxxxx
> Subject: Re: Absent keyUsage in certificates
> 
> 
> Sam Roberts <sroberts@xxxxxxxxxxxx> writes:
> 
> >Also, as you well know, the MUST clauses for certificate generation
in
> PKIX
> >are already widely ignored or misintepreted, and we have to deal with
> those
> >certs anyhow. Adding more generation MUST clauses won't help us.
> 
> Yeah, fair enough.
> 
> >Adding text in PKIX that more clearly explains what the bits are for,
and
> >what it means for the extension to not be present might be helpful.
> 
> Hmm, I think there should then at least be a note in the security
> requirements
> about the default allow-all behaviour of keyUsage, e.g.:
> 
>   If no keyUsage extension is specified, the certificate is assumed to
be
>   valid for any usage except certificate and CRL signing.  In other
words
> if a
>   CA forgets to add the keyUsage, the certificate usage fails open
rather
> than
>   failing closed.  In addition, new and unexpected usages may appear
if
>   additional keyUsage bits are defined after the certificate (with its
> allow-
>   all default) is issued.
> 
> That at least warns users/CAs of the consequences of the default
allow-all
> behaviour.
> 
> Peter.

Follow-Ups:
- Re: Absent keyUsage in certificates
  - From: David A. Cooper

Prev by Date: Re: Absent keyUsage in certificates
Next by Date: Re: 3280bis: CRL validation
Previous by thread: Re: Absent keyUsage in certificates
Next by thread: Re: Absent keyUsage in certificates
Index(es):
- Date
- Thread