Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.

"Piyush Jain" <piyush@ditenity.com> Wed, 20 February 2013 15:40 UTC

Return-Path: <piyush@ditenity.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDCDF21F87C6 for <pkix@ietfa.amsl.com>; Wed, 20 Feb 2013 07:40:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.316
X-Spam-Level:
X-Spam-Status: No, score=-1.316 tagged_above=-999 required=5 tests=[AWL=-1.912, BAYES_00=-2.599, DOS_OUTLOOK_TO_MX=1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_EQ_LT4=0.442, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cnrEWxK9WvJI for <pkix@ietfa.amsl.com>; Wed, 20 Feb 2013 07:40:49 -0800 (PST)
Received: from mail-gg0-x235.google.com (mail-gg0-x235.google.com [IPv6:2607:f8b0:4002:c02::235]) by ietfa.amsl.com (Postfix) with ESMTP id 5C30421F87BA for <pkix@ietf.org>; Wed, 20 Feb 2013 07:40:49 -0800 (PST)
Received: by mail-gg0-f181.google.com with SMTP id e5so1014526ggh.26 for <pkix@ietf.org>; Wed, 20 Feb 2013 07:40:48 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:references:in-reply-to:subject:date:message-id :mime-version:content-type:content-transfer-encoding:x-mailer :thread-index:content-language:x-gm-message-state; bh=DXoYqZA0EkuK3gMkvMqcaewbIr5EsxcmiZEKtNkMH/A=; b=lfa+TTNj/ldwGDyvulEyZ12VGN3sOKenCVhfW4yBTBdsk4mqkH6iigb0stl6qsPLtY /9cNCqCuQ9kuQvrhatwTm6CNFLIHrXvJFDl46Gmb2WU8ay0FrQJFTJB1Ss3YMi7rtnTQ K1yFfl0EgeVfy0IKNXTUceD3rsbnv+6G7vLjZyac/+sB8zCwMAGz4/USEYmxNmVckZmZ nFAV/HA6Z6zuhmT1zkhesAiXDy+YQm9hpPjh/MZIc/uzQcBYnMX2MY7kY59Ekb1IeOF2 QYpOPtw/d0Bv1+QiNb5wd3D8E8fcpu8UIESmejrSwKIAxPnZuMHn92ChvZnY4k7qq4TT IF9Q==
X-Received: by 10.236.117.104 with SMTP id i68mr36825958yhh.125.1361374848557; Wed, 20 Feb 2013 07:40:48 -0800 (PST)
Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id f3sm66886663ani.3.2013.02.20.07.40.46 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 20 Feb 2013 07:40:47 -0800 (PST)
From: Piyush Jain <piyush@ditenity.com>
To: 'Stephen Kent' <kent@bbn.com>, 'Peter Gutmann' <pgut001@cs.auckland.ac.nz>, 'pkix' <pkix@ietf.org>
References: <9A043F3CF02CD34C8E74AC1594475C733340E7BB@uxcn10-2.UoA.auckland.ac.nz> <5124E404.2080500@bbn.com>
In-Reply-To: <5124E404.2080500@bbn.com>
Date: Wed, 20 Feb 2013 07:40:46 -0800
Message-ID: <008f01ce0f80$a7c06f00$f7414d00$@ditenity.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQFU+PKJgpk+Of64p5F/KTAfGYydCwMKzW3EmVyy3DA=
Content-Language: en-us
X-Gm-Message-State: ALoCoQnzR+OglMiVdruIK5DDZLq/CdewkkprxNLco5Gjn87zYh1/DsLwfPbmgXDd4isBlYXgHvvc
Subject: Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2013 15:40:50 -0000

+1 for the response below.

Unfortunately the precedence has been set by changing standards to
accommodate implementations that incorrectly treat unknown certificates as
good in violation of 5280.
Don't underestimate the lobbying muscles of the browser forum. This time
they have two of the biggest corporations behind them :).


> -----Original Message-----
> From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of
> Stephen Kent
> Sent: Wednesday, February 20, 2013 6:56 AM
> To: Peter Gutmann; pkix
> Subject: Re: [pkix] A non-compliant use of the EKU extension in Mozilla's
CA
> Certificate Policy Version 2.1.
> 
> If all widely-used -adopted practices were good, we would adopt more of
> them.
> 
> That is clearly not the case. And, often, those who choose to adopt a
practice
> that contradicts the standards do so before approaching PKIX. In such
cases,
> adopting what has been done encourages the practice of avoiding the IETF
> process in favor of a "big vendor has decided to do X, so let's reward
them
> with an RFC."
> 
> That's a bad idea in any WG context.
> 
> Steve
> 
> 
> On 2/19/13 7:41 PM, Peter Gutmann wrote:
> > Stephen Kent <kent@bbn.com> writes:
> >
> >> I think it unfortunate that Mozilla is advising folks to use EKU in a
> >> fashion that is not supported by X.509 or 5280. (Specifically, a
> >> compliant RP should not reject a subordinate cert based on an EKU
> >> value encountered in a CA cert higher in a cert path.)
> > The other way of looking at it is that it's unfortunate that PKIX
> > refuses to standardise a widely-used and -adopted practice.  As Stefan
> > pointed out, this is just another case of reality vs. PKIX, reality
> > will keep being what it is and PKIX will keep going down its own path,
> unconstrained by reality.
> >
> > Peter.
> > _______________________________________________
> > pkix mailing list
> > pkix@ietf.org
> > https://www.ietf.org/mailman/listinfo/pkix
> >
> 
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix