Re: Extended Key Usage and path validation

[Jean-Marc Desperrier <jean-marc.desperrier@xxxxxxxxxxxx>]

Terry Hayes wrote:

> the extension is checked at all points in the path.  Except for the
> trusted anchor all CA certificates in the path must have the EKU value
> corresponding with the current usage.

> (Actually, CA certificates without and EKU extension are
> "grandfathered" for SSL and S/MIME, but not object signing).

That's not the result of my tests with the current Netscape Navigator
(4.75) and the object signing tools (signtool 1.3).
According to this tests, CA certificates without EKU and NKU extension
are "grandfathered" for object signing too when checking the correct
box.

For the object signing tool, the CA that delivers the signers
certificate must be authorized for object signing, but the check box for
that is available even when there is neither EKU and no NKU in the CA
certificate.

For the navigator, one of the CA in the trust chain must be authorized
for object signing (the box has to be checked).
I've been testing with a signer certificate, an object signing CA, a CA
that signs this CA, and another root CA above all that, therefore three
levels of CAs.

It's impossible to authorize a CA for object signing when the NKU/EKU
are present and don't have the correct usage.