Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extension and Extended Key Usage for Certificate Transparency (RFC 6962) #190

Open
xipki opened this issue Apr 28, 2024 · 1 comment
Open

Extension and Extended Key Usage for Certificate Transparency (RFC 6962) #190

xipki opened this issue Apr 28, 2024 · 1 comment
Labels
waiting for input

Comments

@xipki
Copy link
Contributor

xipki commented Apr 28, 2024
edited
Loading

In Table "Figure 8: C509 Extensions and CSR Attributes" of draft -09:

   +-------+-----------------------------------------------------------+
   |    37 | Name:            Precertificate Signing Certificate       |
   |       | Identifiers:                                              |
   |       | OID:             1.3.6.1.4.1.11129.2.4.4                  |
   |       | DER:             06 0A 2B 06 01 04 01 D6 79 02 04 04      |
   |       | Comments:                                                 |
   |       | extensionValue:                                           |
   +-------+-----------------------------------------------------------+

However, 1.3.6.1.4.1.11129.2.4.4 is not extension ID, but a key purpose ID (ExtendedKeyUsage), as specified in RFC 6962:

   o  a special-purpose (CA:true, Extended Key Usage: Certificate
      Transparency, OID 1.3.6.1.4.1.11129.2.4.4) Precertificate Signing
      Certificate.  The Precertificate Signing Certificate MUST be
      directly certified by the (root or intermediate) CA certificate
      that will ultimately sign the end-entity TBSCertificate yielding
      the end-entity certificate (note that the log may relax standard
      validation rules to allow this, so long as the issued certificate
      will be valid),

Thus, a new entry shall be added to "Figure 12: C509 Extended Key Usages", e.g. as follows:

    +-------+---------------------------------------------------------+
    |    19 | Name:            Certificate Transparency               |
    |       | Identifiers:                                            |
    |       | OID:             1.3.6.1.4.1.11129.2.4.4                |
    |       | DER:             06 0A 2B 06 01 04 01 D6 79 02 04 04    |
    |       | Comments:        RFC 6962                               |
    +-------+---------------------------------------------------------+

And the entry Precertificate Signing Certificate (code 37) in Figure 8 shall be replaced by another OID (with ending 2.4.3 instead 2.4.4):

   +-------+-----------------------------------------------------------+
   |    37 | Name:            Precertificate Signing Certificate       |
   |       | Identifiers:                                              |
   |       | OID:             1.3.6.1.4.1.11129.2.4.3                  |
   |       | DER:             06 0A 2B 06 01 04 01 D6 79 02 04 03      |
   |       | Comments:        RFC 6962                                 |
   |       | extensionValue:  null                                     |
   +-------+-----------------------------------------------------------+
@gselander
Copy link
Collaborator

Not clear if certificate transparency is relevant for target use cases. More input is requested in order to consider include this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
waiting for input
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xipki @gselander