eu-digital-green-certificates / dgc-overview

This repository provides an overview over the EU Digital Green Certificates (DGC) project.
Apache License 2.0
209 stars 29 forks source link

Requirements on National Backend TLS client certificate key usage #32

Open Razumain opened 3 years ago

Razumain commented 3 years ago

Insufficient requirements on NB-TLS client certificate key usage

Section 4.5 of certificate-governance.md is insufficient. The current text says:

Beware that self-signed certificates should also contain the key usage Certificate signing (keyCertSign), so that OpenSSL can verify the (self) signature of the certificate.

As we learned during the dry-run, this is not a SHOULD, but a MUST. Or has this changed to just be a recommendation?

In case this is a MUST, then I would also recommend to lift this into the table above

Field Value
Subject cn=<non-empty and unique common name>, o=<Provider>, c= <Member State of the NB>
Key Usage digital signature (at minimum)
keyCertSign (If the certificate is self signed)
Extended Key Usage client authentication (1.3.6.1.5.5.7.3.2)

Note: that the requirement is really in error as there is no support for the requirement of keyCertSign in any of the open standards of PKI, but if this key usage is required any way due to how current tools work, then it should be made mor clear.

An example that highlights the contradiction is the following requirement from RFC 5280:

The keyCertSign bit is asserted when the subject public key is used for verifying signatures on public key certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (Section 4.2.1.9) MUST also be asserted

That is: A certificate with keyCertSign set, MUST be a CA, which is not true for the TLS client. But I'm really not trying to change this requirement at this point, just making sure it is is clearly stated. Some comment on this contradiction may however be in place.

daniel-eder commented 3 years ago

@SchulzeStTSI I think you discussed this in another issue, what's the status on this?