IETF Logo Mail Archive

Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.

Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 20 February 2013 00:41 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A40821F87C3 for <pkix@ietfa.amsl.com>; Tue, 19 Feb 2013 16:41:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.412
X-Spam-Level:
X-Spam-Status: No, score=-2.412 tagged_above=-999 required=5 tests=[AWL=0.187, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gpslp9xV-cNx for <pkix@ietfa.amsl.com>; Tue, 19 Feb 2013 16:41:39 -0800 (PST)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.244]) by ietfa.amsl.com (Postfix) with ESMTP id 9E5E521F87AB for <pkix@ietf.org>; Tue, 19 Feb 2013 16:41:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1361320899; x=1392856899; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=BmyLeeoQozn2Jy5KItBVbRhfKUqrDINOozGdu0K9ldo=; b=FBAAx62J6f9m9f/YRWl05kggGhIze/4XMpU+dGt6XhA0kLvhp9jv/ea3 8uO5PgLBjbtrO1t/WZ7B3SqzOTzCtr+hek/4+bGr+WlNOBXRVUqQbYmWv DgIhdc8pYXCpf+298d+7vhwx3cWLmxXMrARUKtVOd+k6qZp0QPoMKMLpI c=;
X-IronPort-AV: E=Sophos;i="4.84,698,1355050800"; d="scan'208";a="171264482"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.112 - Outgoing - Outgoing
Received: from uxchange10-fe1.uoa.auckland.ac.nz ([130.216.4.112]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 20 Feb 2013 13:41:38 +1300
Received: from UXCHANGE10-FE4.UoA.auckland.ac.nz (130.216.4.171) by uxchange10-fe1.UoA.auckland.ac.nz (130.216.4.112) with Microsoft SMTP Server (TLS) id 14.2.318.4; Wed, 20 Feb 2013 13:41:38 +1300
Received: from UXCN10-2.UoA.auckland.ac.nz ([169.254.2.108]) by uxchange10-fe4.UoA.auckland.ac.nz ([130.216.4.171]) with mapi id 14.02.0318.004; Wed, 20 Feb 2013 13:41:38 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: IETF PKIX <pkix@ietf.org>
Thread-Topic: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
Thread-Index: Ac4PAwrGDFDziHtuR1+/bLq7NHvjsA==
Date: Wed, 20 Feb 2013 00:41:38 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C733340E7BB@uxcn10-2.UoA.auckland.ac.nz>
Accept-Language: en-GB, en-NZ, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2013 00:41:40 -0000

Stephen Kent <kent@bbn.com> writes:

>I think it unfortunate that Mozilla is advising folks to use EKU in a fashion
>that is not supported by X.509 or 5280. (Specifically, a compliant RP should
>not reject a subordinate cert based on an EKU value encountered in a CA cert
>higher in a cert path.)

The other way of looking at it is that it's unfortunate that PKIX refuses to
standardise a widely-used and -adopted practice.  As Stefan pointed out, this
is just another case of reality vs. PKIX, reality will keep being what it is
and PKIX will keep going down its own path, unconstrained by reality.

Peter.

v2.23.0 | Report a Bug | By Email