search

cose-wg / CBOR-certificates

Other
9 stars 7 forks source link

Extension and Extended Key Usage for Certificate Transparency (RFC 6962) #190

Open xipki opened 2 months ago

xipki commented 2 months ago

In Table "Figure 8: C509 Extensions and CSR Attributes" of draft -09:

   +-------+-----------------------------------------------------------+
   |    37 | Name:            Precertificate Signing Certificate       |
   |       | Identifiers:                                              |
   |       | OID:             1.3.6.1.4.1.11129.2.4.4                  |
   |       | DER:             06 0A 2B 06 01 04 01 D6 79 02 04 04      |
   |       | Comments:                                                 |
   |       | extensionValue:                                           |
   +-------+-----------------------------------------------------------+

However, 1.3.6.1.4.1.11129.2.4.4 is not extension ID, but a key purpose ID (ExtendedKeyUsage), as specified in RFC 6962:

   o  a special-purpose (CA:true, Extended Key Usage: Certificate
      Transparency, OID 1.3.6.1.4.1.11129.2.4.4) Precertificate Signing
      Certificate.  The Precertificate Signing Certificate MUST be
      directly certified by the (root or intermediate) CA certificate
      that will ultimately sign the end-entity TBSCertificate yielding
      the end-entity certificate (note that the log may relax standard
      validation rules to allow this, so long as the issued certificate
      will be valid),

Thus, a new entry shall be added to "Figure 12: C509 Extended Key Usages", e.g. as follows:

    +-------+---------------------------------------------------------+
    |    19 | Name:            Certificate Transparency               |
    |       | Identifiers:                                            |
    |       | OID:             1.3.6.1.4.1.11129.2.4.4                |
    |       | DER:             06 0A 2B 06 01 04 01 D6 79 02 04 04    |
    |       | Comments:        RFC 6962                               |
    +-------+---------------------------------------------------------+

And the entry Precertificate Signing Certificate (code 37) in Figure 8 shall be replaced by another OID (with ending 2.4.3 instead 2.4.4):

   +-------+-----------------------------------------------------------+
   |    37 | Name:            Precertificate Signing Certificate       |
   |       | Identifiers:                                              |
   |       | OID:             1.3.6.1.4.1.11129.2.4.3                  |
   |       | DER:             06 0A 2B 06 01 04 01 D6 79 02 04 03      |
   |       | Comments:        RFC 6962                                 |
   |       | extensionValue:  null                                     |
   +-------+-----------------------------------------------------------+
gselander commented 2 weeks ago

Not clear if certificate transparency is relevant for target use cases. More input is requested in order to consider include this.