Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 20 February 2013 00:41 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A40821F87C3 for <pkix@ietfa.amsl.com>; Tue, 19 Feb 2013 16:41:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.412
X-Spam-Level:
X-Spam-Status: No, score=-2.412 tagged_above=-999 required=5 tests=[AWL=0.187, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gpslp9xV-cNx for <pkix@ietfa.amsl.com>; Tue, 19 Feb 2013 16:41:39 -0800 (PST)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.244]) by ietfa.amsl.com (Postfix) with ESMTP id 9E5E521F87AB for <pkix@ietf.org>; Tue, 19 Feb 2013 16:41:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1361320899; x=1392856899; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=BmyLeeoQozn2Jy5KItBVbRhfKUqrDINOozGdu0K9ldo=; b=FBAAx62J6f9m9f/YRWl05kggGhIze/4XMpU+dGt6XhA0kLvhp9jv/ea3 8uO5PgLBjbtrO1t/WZ7B3SqzOTzCtr+hek/4+bGr+WlNOBXRVUqQbYmWv DgIhdc8pYXCpf+298d+7vhwx3cWLmxXMrARUKtVOd+k6qZp0QPoMKMLpI c=;
X-IronPort-AV: E=Sophos;i="4.84,698,1355050800"; d="scan'208";a="171264482"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.112 - Outgoing - Outgoing
Received: from uxchange10-fe1.uoa.auckland.ac.nz ([130.216.4.112]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 20 Feb 2013 13:41:38 +1300
Received: from UXCHANGE10-FE4.UoA.auckland.ac.nz (130.216.4.171) by uxchange10-fe1.UoA.auckland.ac.nz (130.216.4.112) with Microsoft SMTP Server (TLS) id 14.2.318.4; Wed, 20 Feb 2013 13:41:38 +1300
Received: from UXCN10-2.UoA.auckland.ac.nz ([169.254.2.108]) by uxchange10-fe4.UoA.auckland.ac.nz ([130.216.4.171]) with mapi id 14.02.0318.004; Wed, 20 Feb 2013 13:41:38 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: IETF PKIX <pkix@ietf.org>
Thread-Topic: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
Thread-Index: Ac4PAwrGDFDziHtuR1+/bLq7NHvjsA==
Date: Wed, 20 Feb 2013 00:41:38 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C733340E7BB@uxcn10-2.UoA.auckland.ac.nz>
Accept-Language: en-GB, en-NZ, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2013 00:41:40 -0000
Stephen Kent <kent@bbn.com> writes: >I think it unfortunate that Mozilla is advising folks to use EKU in a fashion >that is not supported by X.509 or 5280. (Specifically, a compliant RP should >not reject a subordinate cert based on an EKU value encountered in a CA cert >higher in a cert path.) The other way of looking at it is that it's unfortunate that PKIX refuses to standardise a widely-used and -adopted practice. As Stefan pointed out, this is just another case of reality vs. PKIX, reality will keep being what it is and PKIX will keep going down its own path, unconstrained by reality. Peter.
- [pkix] A non-compliant use of the EKU extension i… Denis Pinkas
- Re: [pkix] A non-compliant use of the EKU extensi… Erwann Abalea
- Re: [pkix] A non-compliant use of the EKU extensi… David A. Cooper
- Re: [pkix] A non-compliant use of the EKU extensi… Piyush Jain
- Re: [pkix] A non-compliant use of the EKU extensi… Stefan Santesson
- Re: [pkix] A non-compliant use of the EKU extensi… Stephen Kent
- Re: [pkix] A non-compliant use of the EKU extensi… Peter Gutmann
- Re: [pkix] A non-compliant use of the EKU extensi… Denis Pinkas
- Re: [pkix] A non-compliant use of the EKU extensi… Stephen Kent
- Re: [pkix] A non-compliant use of the EKU extensi… Piyush Jain
- Re: [pkix] A non-compliant use of the EKU extensi… Stefan Santesson
- Re: [pkix] A non-compliant use of the EKU extensi… Piyush Jain
- Re: [pkix] A non-compliant use of the EKU extensi… Santosh Chokhani
- Re: [pkix] A non-compliant use of the EKU extensi… Erwann Abalea
- Re: [pkix] A non-compliant use of the EKU extensi… Dr Stephen Henson
- Re: [pkix] A non-compliant use of the EKU extensi… Martin Rex
- Re: [pkix] A non-compliant use of the EKU extensi… Michael StJohns
- Re: [pkix] A non-compliant use of the EKU extensi… Michael StJohns
- Re: [pkix] A non-compliant use of the EKU extensi… Henry B. Hotz
- Re: [pkix] A non-compliant use of the EKU extensi… Stefan Santesson
- Re: [pkix] A non-compliant use of the EKU extensi… Peter Gutmann
- Re: [pkix] A non-compliant use of the EKU extensi… Peter Gutmann
- Re: [pkix] A non-compliant use of the EKU extensi… Yoav Nir
- Re: [pkix] A non-compliant use of the EKU extensi… Erwann Abalea
- Re: [pkix] A non-compliant use of the EKU extensi… Stefan Santesson
- Re: [pkix] A non-compliant use of the EKU extensi… Peter Sylvester
- Re: [pkix] A non-compliant use of the EKU extensi… Piyush Jain
- [pkix] Agenda items for PKIX in Orlando Stefan Santesson
- Re: [pkix] A non-compliant use of the EKU extensi… Stephen Kent
- [pkix] PKIX WG's (lack of) agility to adopt missi… Martin Rex