baloo
commented
8 months ago I was not aware of the ETSI document. I believe I went with the RFC5280 at the time:
For example, when an RSA key should be used only to verify signatures on
objects other than public key certificates and CRLs, the
digitalSignature and/or nonRepudiation bits would be asserted.https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3
I didn't see harm in putting it. That was a mistake.
I guess the Profile::Leaf should be further qualified to include the A/C/E types from the ETSI:
NAT-4.3.2-1: The key usage extension shall be present and shall contain one (and only one) of the key usage settings
defined in table 1 (A, B, C, D, E or F). Type A, C or E should be used to avoid mixed usage of keys.
https://github.com/RustCrypto/formats/blob/fdb711e56e8139c57284ce06329033e467c5a0c4/x509-cert/src/builder.rs#L199
Is there any special reason to enable it by default?
I understand that the ETSI advises against combining the Non-Repudiation and other key usages.
In section 4.3.2 Key usage https://www.etsi.org/deliver/etsi_en/319400_319499/31941202/02.03.00_20/en_31941202v020300a.pdf