There are a number of technical constraints a Certificate Authority can put into place on a subordinate Certificate Authority; the general concept is referred to as Qualified Subordination.
One of the most important ways to constrain a certificate is through by restricting what it can be good for.
The foundation for such a constraint is provided by PKIX in the Extended Key Usage extension (RFC 5280), this extension can be put into a certificate to restrict what it is trusted for – for example a certificate might be OK for SSL Server Authentication but not for S/MIME.
The problem is the RFC provides no practical guidance on how to act when this certificate is encountered in a CA certificate, all it says is:
In general, this extension will appear only in end entity certificates.
One can interpret this to mean that its semantics are the same in issuer or subscriber certificates, this makes sense but isn’t very useful as a CA is not very likely to ever perform “application tasks” like S/MIME or SSL Server authentication with its signing key, so why would you put it in a CA certificate?
Also if you look back at the history this extension was really one of the first that was introduced, it came into existence in a time where PKIs were only one level deep – the absence of guidance on how to handle this could easily be seen as an omission.
Microsoft saw it this way and decided to have their implementation treat this extension as a constraint, in other words if no EKU is present in the chain then the chain is considered good for all usages. But once a single EKU is added into the path nothing bellow it can be considered good for a non-listed EKU.
In Windows applications validate certificates using the CertGetCertificateChain API takes a number of control parameters via the PCERT_CHAIN_PARA structure, one can specify what EKUs they want to make sure a certificate is good for via the RequestedUsage parameter.
This logic (frankly almost all of the certificate validation) is all wrapped into this one call.
So what does this have to do with MSRC 2718704? Well it has reduced the risk of this mess up in a meaningful way I thought I would explain but before I do let me explain that I am not trying to downplay the significance of this issue I am just trying to clarify where the risks are.
As we know now the “licensing solution” deployed for terminal services has put a signing CA that is trusted for Code Signing in ever enterprise that uses the product. But how is it restricted to just Code Signing, that’s really what this post is about.
Let’s look at the EKUs included in the offending “MS” certificate, in that chain we see:
- Microsoft Root Authority
- No EKUs
- Microsoft Enforced Licensing Intermediate PCA
- EKUs = Code Signing, Key Pack Licenses, License Server Verification
- Effective EKUs = Code Signing, Key Pack Licenses, License Server Verification
- Microsoft Enforced Licensing Certificate Authority CA
- EKUs = Code Signing, License Server Verification
- Effective EKUs = Code Signing, License Server Verification
- Microsoft LSRA PA
- EKUs = None
- Effective EKUs = Code Signing, License Server Verification
- MS
- EKUs = None
- Effective EKUs = Code Signing, License Server Verification
You will notice that the “Microsoft LSRA PA” certificate lists no EKUs but the Effective EKUs are listed as “Code Signing” and “License Server Verification”, this is because of the Nested EKU behavior I describe above.
The same thing happens in the end “MS” certificate; even though it has no EKUs listed I can only be used to validate licenses and sign-code because that’s all it’s issuers are entitled to bestow onto its subordinates.
OK so what does all of this mean to you and me? It basically means as long as the application is written using CryptoAPI in the intended way (and all do that I am aware of in this context) those CAs out there cannot be used to issue SSL certificates (or any other usages not listed) that would be “valid”, they can of course sign code as Microsoft which is a larger issue in my book.
Anyway over the years I have proposed in IETF that this same behavior be adopted, it was always rejected as an evil Microsoft conspiracy (I was at Microsoft at the time) it of course was nothing of the sort but in the end I gave up. Recently I have started trying to convince the browsers directly to implement this same behavior as I feel it is beneficial, for example here is a NSS bug tracking the same request, if implemented that would take care of Chrome and Firefox, that still leaves Safari and Opera but it’s a step in the right direction.
Additional Resources
http://lists.randombit.net/pipermail/cryptography/2012-June/002966.html