IETF Logo Mail Archive

Re: [pkix] Critical certificate policies extension

"Todd E. Johnson" <tejohnson@yahoo.com> Tue, 12 July 2022 00:59 UTC

Return-Path: <tejohnson@yahoo.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8821BC16ECC0 for <pkix@ietfa.amsl.com>; Mon, 11 Jul 2022 17:59:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.458
X-Spam-Level:
X-Spam-Status: No, score=-1.458 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, REPTO_QUOTE_YAHOO=0.646, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sgd3X_Ui7353 for <pkix@ietfa.amsl.com>; Mon, 11 Jul 2022 17:59:14 -0700 (PDT)
Received: from sonic310-15.consmr.mail.bf2.yahoo.com (sonic310-15.consmr.mail.bf2.yahoo.com [74.6.135.125]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8E6CC15A733 for <pkix@ietf.org>; Mon, 11 Jul 2022 17:59:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1657587551; bh=FiOAaMsgMSlxf63L5WhUBYQ5Ok5/zpZNM+ATSCqesJY=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject:Reply-To; b=oMWXkjSUmUUOIu6gK2XGmRYmBAnJd+sqQq7lKHlZeIX4IEDOg5HWhYoWl6VSSajgGpf7CPLiDbeEQMVS0XfX0Q0CVTf4iJOjg4/8mNezAz+vPp784fX9iFAweTUXSaHxr6n5QUVEgq0AXANEpGABuMlEs5IV9Bhg8Y2wqiM0DySjsK1iSkbSDQJ0FE63HjYEvPqcPip4oyqEZWB1OYjXm90Tm9m5JZwsUdx54CkVaxZifvRC0KboKsOhMj20Okz5GW01frG9izgVteiHU3Z94koMsE6lcpSZn6B7KIkOiIePzGvLJj7sRi+SalpNmMYVe46x7qYcEuwCJ+fbI5a4AQ==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1657587551; bh=psJGNfI0nFR1gxe55dZmLLZUGRZcwPuo9QUBl4ZLJhN=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=EKfZQbkoaJhgNRgaX8zqFTZ2LZ3/tltB/6c9h/8LJdzyf8gOEzcRgxhnYzO1C2o5r40RN74Tr0s14akHQOZbmMTENEv78d2LZwD9U4WDd0mqN5JZbkTMIFwD+YrJ+Me9Y+S2Hig0tL/lOLYe4XXd+bljOgb5g9g7ocC2O36mEqHVBefX6kx7bKZ8QQfqV7SGt/pHpGwoBkNrkbACu9q/1zgafnc4Hvu8PQMtJetQ744XLGWsXhrwpntyVfjuV3R+Sdqt0Z1wpECLrvPIs042C6A+TWjTbgHJ4gQRsDnsE1P1dA8EfkLqQKXdSaiRoGUzMgPdi0p9om4Wxxn1Wmn/Lg==
X-YMail-OSG: ep1EQyUVM1lUyGHNoIrLivUe88p5CIYZluGnk.OBNvYiNMwrW.lhSlH0f_wLQdC V.Rrok8H4KPpIox7wgcohBOGoUtkXXKqnzrr5tpcgCFEDaypn8pKH7b3.GA_bhQQ8Gw.3LsdA4Ot 5jj9SLiKghULNp6Bbjm5R6zjxFSivC5fhrr2EfIOCL_G51hcYXb3dICYhy2L8t_Zhte1EW.wmJQ4 qmeHinpEOQLJyPJ4T7ioOA945ELpAXu4hI5npwKh7a2xm9SStVG87LxjJ8haMHp.t.nCNukyjexd anRm9MzsWKiR36gTXl7XQKK0L..3Qq_xUKGgDqxsrjXHv.I0dCEKK8n0WkTaH1dYczBGAbzVKs_v f9savRklR1fMjKmYeCK3lOBisvxb_6_xvF8Pm98a9M1HFzOPEFMNMLwqSaNc.INoYRT2qf9RkssL VXPa1F1vjXBCsTcA7ssEXikuzar.7db1qT7Kx2jMAr.R.LQoiLO1byy.KIbhz52CXSM7l1WxX_Kw R21upEVyOOPRfyLVfSVJxEy9Ab9Zgw4si5tM4tls9XXFe4jMb_.CK4XxZGuO9JoPJRt36glBvMcu _4ePi9A8XsNm1BtpLdI30QArG5DFQ8EDBbuRLdsNMBAlVBAtyo0qXC.IH5S8qQuube.st1zIN98r wYeNwCuy2aJyU.uRcXEeVu0P_hX6xrYUf6zMZHbfK1xWMHWCDmRmCzc_Cw8SoYFEpBQOFaw9cfX0 PShwj7neHjG6IOnKHYz0YMT5jJBQ30ZP8UPQIYUNcGbGYzlU_mrwf2tSQNkzx.c6LWbPQnLqxSVj RBqfHsn9qawdJz24wDdrEX8QAA6brtoC_b0ewR9j2WOIXfW_D1PvfrxgJyL4CMdHfpVsblash8Up .Gno0_NrHnaVQ8jjT.Hb46UIcnCCBNR.5o6769gDF21A8QELKNfkw_BdcOW9hD22qrb7qrBR1lms M3QnW.pfIW9kraAjMwX6OCBWV3lUxNwQ1jTw0A1hyI3f9zJQfjjJeAyoobzGWoK95DcPRuIU9Yfi cc2qwg92I.gsuuLTkBGucKcWhgcwR7DGyszW5Bcw08MEIkdre38MfMNNFqA1MOPqqQce3s4wmrCB 1QWBEDkomBmzKqvc1yP5d98fBF_tkXptES8JOf.0KwX.Arf7cwTFwmj3IyO0rbZP_IdnqSMBQdt5 aYovdXzw.kmV6LoAA4REpG54C.ddqSwcolWgHyGdaKT29udPehlbrmt4ejN_wb09G69g1dVzZt80 JHy8HCrEO9aRoGZ7ZEldmsKjQG_M7Vqc5hbdF6siDaOaRHUY3zLJyRqL_13maQZfLbu7TUsoow8y .nHSfU5K8X.mOEuzALNUKEZ.NZ5xzspWRJmS1FarGqo5IGpWPlv53VS5PNmTAJaLZ4_8Z5g5va_0 ZzZZzH9v6Wg5ScH2A.PXED._K_NvYzaUFyfqf6cbXXjfeDErWJvIvCWJXyMXEFhDqEFVdgE1H8kV F3OMYyNVaQBRjXP4PFyqVJyKRdwg0iWssmJnT8y5m564UgqxOo2gmIZPbzB9no7SAy3QMiG850WR hjlM1hxvZaQkjAOkmhPDifvmUPQv27d8wUbPlFr81nateUS8bLxV.bBko3ug6F7yOoAgIaBnM5x8 kCS9aLme4MaGXn4Ec1n5jEw4OyT_oDdq39_SElrhcpEeUo.gFT3LcwCxtUi1zkO6flCrd3qIKoqv nXlWrKUt1ty9pwF8TlN2TVnX6s.F4IwwKwnJTToh8tcJ8HiZbOyiZYiDS04cLXhdGYgjkRtBCs_l G3Xbg1SXPT.xPCFrDyb0shlsluKzAXT86G5tE7Dy1Fz43QE1ih8fSRjJjw2mRv5IVAzZqnt8kMHL jm.TFFVkKdshW3vgkZ2xPRlwCjkCKOes3Xa.13f5lpw0QWxlvCSqGmhs7MmSPG1yGG4Ee9iXDn3V gLw42ZUBd7NclpoB5IZu6dvDzThItrcZvPE1dtF4nQnNpiWayJoCxXqcK6fHLWCnX8C3GX1UMy.h 1QzqXy5A.L45GfTckNqqnOX6O2ZcA9UO1D1hZy7aUQ6pCxKC0NDS3gzWudbuq4jiHCw1T_TxUkQ9 PcrpJUQBK7QGSuCCva0ntzz8Mm2YUHm9o4kC1JvEllz10Hr_kVXh6KVYSWbdmE_dpzzCDc48Oi5C auDFilakYSdvSOiacd_q7yfcoiEt.Smw1xXsoVmgIhczfKL8SUnqu.QI47k5jaX0Jd0wiiy2Nvmw 5ZVqHyvg0trmqmZstm.oVfcZ5kixxi60v_LcfFOt_z6BYwcWr5Ewl1K3iorH12ADzHwrKYA7gO_z H9miDkfIyoqi5rP9uELv_XGzRP2Ptqw9xH2k2FHx4UUfcCHYsH1UU8k83CpgpI9s4wm0j9tOlNAf N2ZeihojRPDnHJs3Vmak_4R_.EZJipA--
X-Sonic-MF: <tejohnson@yahoo.com>
Received: from sonic.gate.mail.ne1.yahoo.com by sonic310.consmr.mail.bf2.yahoo.com with HTTP; Tue, 12 Jul 2022 00:59:11 +0000
Date: Tue, 12 Jul 2022 00:59:06 +0000
From: "Todd E. Johnson" <tejohnson@yahoo.com>
Reply-To: "Todd E. Johnson" <tejohnson@yahoo.com>
To: Carl Wallace <carl@redhoundsoftware.com>, Niklas Matthies <pkix@nmhq.net>, pkix@ietf.org
Message-ID: <1362174353.117208.1657587546493@mail.yahoo.com>
In-Reply-To: <9EFCB4AD-47D8-49EF-B90F-BF47CB7A4037@redhoundsoftware.com>
References: <YswzrpCXx+IMjeYo@nmhq.net> <SY4PR01MB6251A6E61E56A33BB666B575EE879@SY4PR01MB6251.ausprd01.prod.outlook.com> <YsxIxNEjEauRzFsP@nmhq.net> <9EFCB4AD-47D8-49EF-B90F-BF47CB7A4037@redhoundsoftware.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_117207_1679661753.1657587546491"
X-Mailer: WebService/1.1.20407 YahooMailAndroidMobile
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/-3KPDuzb6diiBlWTYZTrjIGIfWw>
Subject: Re: [pkix] Critical certificate policies extension
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2022 00:59:17 -0000

Evening,
I kinda feel certain that *some* folks might hate this comment, but; I feel this is partly why the U.S. Federal PKI inhibited PolicyQualifer in the original COMMON certificate and CRL profile (removed July 17, 2017?)
- https://www.idmanagement.gov/docs/fpki-x509-cert-profile-common.pdf
 
 
  On Mon, Jul 11, 2022 at 15:29, Carl Wallace<carl@redhoundsoftware.com> wrote:   Inline...

On 7/11/22, 11:59 AM, "pkix on behalf of Niklas Matthies" <pkix-bounces@ietf.org on behalf of pkix@nmhq.net> wrote:

    Peter,

    Thanks for your reply.

    On Mon 2022-07-11 at 14:52h, Peter Gutmann wrote on pkix:
    >Niklas Matthies <pkix@nmhq.net> writes:
    >
    >>The reason I'm asking is that the Java path building and validation
    >>implementation (formerly by Sun/Oracle, now OpenJDK) by default rejects
    >>certificates with a critical certificate policies extension if it contain any
    >>qualifiers [1]
    >
    >... and if the implementation has been configured to do so via the
    >rejectPolicyQualifiers flag.  So it's doing what the user asked it to do.

    Yes, but the flag is set by default, and the documentation [2] notes 
    that if it is not set, then the implementation is not PKIX compliant 
    by itself. This suggests that the implementers believed that the check
    triggered by the flag is necessary for PKIX compliance. What I thus 
    don't understand is (a) why they restricted it to checking the 
    qualifiers, but at the same time are fine with arbitrary policy OIDs, 
    and to a lesser degree (b) why they didn't make an exception for the 
    CSPuri and UserNotice qualifiers whose presence clearly(?) should not 
    affect path validation.

    [2] https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/security/cert/PKIXParameters.html#setPolicyQualifiersRejected(boolean)

[CW] I don't know why this decision was made, but it's possibly due to the fact that you can already address the policy OIDs using the user supplied policy set but there's no corresponding way to get at qualifiers.

    >This was one of the many parts of the standard that, when it was 
    >originally discussed, no two people could agree on, see e.g. the 
    >thread "Dave's Critical Proposal" from 1997.  There were many more 
    >like that.

    Thanks for that pointer. Just for reference, Dave's actual proposal 
    ssems to be [3], and further threads discussing the topic are anchored 
    at [4] and [5].

    [3] https://mailarchive.ietf.org/arch/msg/pkix/Hl3wPdiVIjNOL4rJ9NgQQjxAo08/
    [4] https://mailarchive.ietf.org/arch/msg/pkix/cXFcS3bcZUfDMp5YA_A0GizjJt8/
    [5] https://mailarchive.ietf.org/arch/msg/pkix/jvera4YQZvytTTQtX4zsziPcr6E/

    >So probably the best behaviour is "try and be consistent, and 
    >document what you do somewhere".

    Right. So I gather that rejecting all certificates containing a
    critical certificate policies extension with an unknown policy OID 
    would be a valid interpretation of the RFC requirements I cited.

[CW] I think that would probably cause unnecessary path validation failure. In some environments, certs are loaded up with policy OIDs and most of them likely don't matter to you. There is a change noted in RFC5280 on this topic:  "The path validation algorithm specified in Section 6 no longer tracks the criticality of the certificate policies extensions in a chain of certificates. In RFC 3280, this information was returned to a relying party." Here's some language from an old X.509 edition that is more consistent with what you are suggesting (though only if all policies in the valid policy set are unknown). The language here may also be why the decision referenced above was made (since it leaves open the possibility for non-standard qualifier processing).

    "If the extension is flagged critical, it indicates that the certificate shall only be used for the purpose, and in accordance with the rules implied by one of the indicated certificate policies. The rules of a particular policy may require the certificate-using system to process the qualifier value in a particular way. If the extension is flagged non-critical, use of this extension does not necessarily constrain use of the certificate to the policies listed. However, a certificate user may require a particular policy to be present in order to use the certificate (see clause 10). Policy qualifiers may, at the option of the certificate user, be processed or ignored."



_______________________________________________
pkix mailing list
pkix@ietf.org
https://www.ietf.org/mailman/listinfo/pkix

v2.23.0 | Report a Bug | By Email