[Cryptography] ALPACA

Viktor Dukhovni cryptography at dukhovni.org
Sun Jun 13 18:29:00 EDT 2021 

On Sat, Jun 12, 2021 at 10:39:43AM +0000, Peter Gutmann wrote:

> Viktor Dukhovni <cryptography at dukhovni.org> writes:
> 
> >The above is misleading.  The "email" usages are for S/MIME, not TLS. The
> >"web server usage" is really TLS server usage, and so SMTP servers that do
> >STARTTLS are in the same bucket as HTTPS servers.
> 
> Sure, what I meant in this case was that since there are already eKUs for
> email (as in S/MIME), define a new eKU for email with TLS (STARTTLS/SMTP) or
> whatever.  That's what eKU is there for.

Yes, though in practice that'd be tough (take a very long time) to roll
out, because all SMTP clients would have to support the new EKU before
servers could start deploying certificates with only the new EKU.  And
CAs would have to be willing to issue certificates with the new EKU, ...
In all, this seems rather unlikely to happen. :-(

> >OpenSSL does not ignore extended key usage,
> 
> What does it do with eKUs?  Will it reject a cert used for TLS with
> e.g. an IPSEC eKU?  Just curious, because the last time I looked it
> ignored them.

The EKU list in the certificate (if specified) has to match the
"purpose" of X509_VERIFY_PARAM field of the XS09_STORE_CTX.  The
interface is noticeably clunky, but it does in fact enforce matching
EKUs (as part of certificate chain verification).

> Even for clients that don't ignore it, the other side of the coin is that many
> certs have nonsensical eKUs (look at the number of web *server* certs that
> assert the *client*Auth eKU), so you need to sort out both ends of the mess
> for things to work.

Well, the client auth EKU allows the server to be a TLS client of an
upstream service, and sinces CAs don't know whether a server will want
to do that, they often mint certs that support both.  There's no
intrinsic issue with having both EKUs present.  From Let's Encrypt I
get:

        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE

I don't see a problem offhand...

-- 
    Viktor.

More information about the cryptography mailing list