Issue #6996: Add Basic Constraints X509v3 extension to EE certs - freeipa

freeipa

#6996 Add Basic Constraints X509v3 extension to EE certs

Closed: wontfix 6 years ago Opened 6 years ago by cheimes.

FreeIPA's cert profile for end entity certs does not include a BasicConstraints field. EE certs have AKID, SKID, AIA for OCSP, KU, EKU, CRL DP, and SAN. Although BC is optional in CAB baseline requirements, it is pretty standard to have a CA:FALSE;critical extension in EE certs. I checked multiple certs from Let's Encrypt, DigiCert, GeoTrust and other public CAs. All EE certs had the BC extension.

BasicConstraint CA:FALSE is also a requirement for SPIFFE SVID certs, https://github.com/spiffe/svid/blob/master/SPECIFICATION.md

Therefore I propose to include a BasicConstraints: CA:FALSE;critical extension in all profile that generate EE certs.

Baseline Requirements, v. 1.4.5, section 7.1.2.3. Subscriber Certificate:

d. basicConstraints (optional)
The cA field MUST NOT be true.

ftweedal commented 6 years ago

I don't think we need to do this. It can be configured per-profile after all, and there's no problem with the default profile configuration.

pvoborni commented 6 years ago

closing per triage on Jul 25

Metadata Update from @pvoborni:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#6996 Add Basic Constraints X509v3 extension to EE certs Closed: wontfix 6 years ago Opened 6 years ago by cheimes.

Metadata

#6996 Add Basic Constraints X509v3 extension to EE certs

Closed: wontfix 6 years ago Opened 6 years ago by cheimes.