1

Anyone knows in client authentication, what are the Key Usage and Extended Key Usage purposes we should validate?

As per the specification in [1]:

  • "Extended Key Usage" is not necessary and which is configured in addition to or in place of the basic purposes indicated in the key usage extension.
  • "clientAuth" which can be configure as "Extended Key Usage", and Key usage bits that may be consistent for that is "digitalSignature" and/or "keyAgreement"

But when validating, what are the key usage purposes that should be allowed and disallowed for client authentication?

[1] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.12

Community
  • 1
  • 1
Indunil Rathnayake
  • 31
  • 2
  • The best answer to that is, it depends... It depends on the user agent, on which issuing policies are being used, and how much common sense you are willing to apply. The RFCs are very fast and loose in this area, and some user agents ignore the RFCs and use the [CA/Browser Baseline Requirements](https://cabforum.org/baseline-requirements-documents/) instead. OpenSSL claims to be mostly IETF/RFC complaint, but it uses the CA/B BR for this particular item. OpenSSL also fails to document it at [OpenSSL | Standards](https://www.openssl.org/docs/standards.html). – jww Feb 02 '18 at 21:57
  • There are also other RFC that are used besides RFC 5280. The additional RFCs include 6125 (Representation and Verification of Domain-Based Application Service Identity) and 4158 (Certification Path Building). A similar thread just came up on the OpenSSL mailing list. See [TLS Error in FreeRadius - eap_tls: ERROR: Failed in FUNCTION (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed](https://mta.openssl.org/pipermail/openssl-users/2018-January/007346.html). See Viktor's responses about how the CA bits should be configured to work with OpenSSL. – jww Feb 02 '18 at 22:00

0 Answers0