Why limit x509 Extended Key Usages?

[johannww]

In practice, Fabric extendedKeyUsages are limited to ExtKeyUsageServerAuth (see references below). Is there a reason for that?

In the msp, the field x509.VerifyOptions.KeyUsages is never set:

fabric/msp/mspimplsetup.go

Line 118 in af3ccd3

msp.opts = &x509.VerifyOptions{Roots: x509.NewCertPool(), Intermediates: x509.NewCertPool()}

fabric/msp/mspimplsetup.go

Line 158 in af3ccd3

msp.opts = &x509.VerifyOptions{Roots: x509.NewCertPool(), Intermediates: x509.NewCertPool()}

Which means ExtKeyUsageServerAuth:

https://github.com/golang/go/blob/0afd7e85e5d7154161770f06a17d09bf1ffa3e94/src/crypto/x509/verify.go#L203-L206 states:

// KeyUsages specifies which Extended Key Usage values are acceptable. A
// chain is accepted if it allows any of the listed values. An empty list
// means ExtKeyUsageServerAuth. To accept any key usage, include ExtKeyUsageAny.
KeyUsages []ExtKeyUsage

In my case, the msp admin and peer had the following extended key usage:

        X509v3 extensions:
            X509v3 Extended Key Usage: 
                OCSP Signing

As a possible solution, the value could be set to x509.ExtKeyUsageAny.