CERT_CheckCertUsage implicitly sets KU_NON_REPUDIATION



12 years ago
9 years ago


(Reporter: kaie, Unassigned)


Firefox Tracking Flags

(Not tracked)




12 years ago
Given a cert which does not have a key usage extension at all.

Check usage KU_NON_REPUDIATION with a call to:
  CERT_CheckCertUsage(cert, KU_NON_REPUDIATION)

This returns "success".

Bob Relyea said, this is probably a bug.

It seems we do NOT want implicit KU_NON_REPUDIATION.
In general, cert extensions serve to LIMIT or RESTRICT the uses of the cert.
A cert with the fewest extensions is the least restricted, not the most 
restricted.  A Key Usage extension servers to limit the usages of the key.
In the absence of the extension...
The same generally applies to EKU.  But there are exceptions to this rule
for EKUs.  Some EKU OIDs (Gov't approved, object signing) default to 
disallowed when no EKU is present.  

I guess we need to specify default settings for each of the KU bits, and 
each of the known EKU OIDs.
(Any update on this bug ? Would it be wanted for Gecko 1.9 ?)

Comment 3

9 years ago
I think the current behaviour is correct. A certificate that doesn't have the keyUsage extension set doesn't restrict its usage and can be used for any purpose.
Does this cause a problem?
I wish PKI was as simple as I thought it was when I wrote comment 1.

The sad truth is that for each individual key usage bit and extended 
key usage OID, there is a default condition which applies when the cert 
has no KU or EKU extension.  For nearly ALL such KU bits and EKU OIDs, 
the default condition is that, in the absence of a KU or EKU extension, 
the cert is not restricted with respect to those usages / extended usages.  

But there are exceptions.  There are some usages that are ONLY granted 
when they explicitly appear in a KU or EKU extension, and are never granted 
by default.  An example of this is the extended key usage id-kp-OCSPSigning 
defined in RFC 2560.  

And, in many countries, the same is true with the NR KU.  
If it isn't explicitly granted, the cert doesn't have it. 
It would be grand if this was universally true in all countries, 
but nothing about NR seems to be universally true in all countries. :(
You need to log in before you can comment on or make changes to this bug.