IETF Logo Mail Archive

Re: [pkix] Critical certificate policies extension

Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 21 July 2022 06:09 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41FE3C159486 for <pkix@ietfa.amsl.com>; Wed, 20 Jul 2022 23:09:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.608
X-Spam-Level:
X-Spam-Status: No, score=-2.608 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NkYSjyqvpKJN for <pkix@ietfa.amsl.com>; Wed, 20 Jul 2022 23:09:27 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.21.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98EDFC159483 for <pkix@ietf.org>; Wed, 20 Jul 2022 23:09:25 -0700 (PDT)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01lp2174.outbound.protection.outlook.com [104.47.71.174]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id au-mta-81-MknZT0NzNd61no1K7FY7lg-1; Thu, 21 Jul 2022 16:09:20 +1000
X-MC-Unique: MknZT0NzNd61no1K7FY7lg-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by SY3PR01MB1963.ausprd01.prod.outlook.com (2603:10c6:0:20::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5438.20; Thu, 21 Jul 2022 06:09:18 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::64d6:2532:7a7e:561d]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::64d6:2532:7a7e:561d%7]) with mapi id 15.20.5438.025; Thu, 21 Jul 2022 06:09:18 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Niklas Matthies <pkix@nmhq.net>, "pkix@ietf.org" <pkix@ietf.org>
Thread-Topic: [pkix] Critical certificate policies extension
Thread-Index: AQHYlTKj67xjOc4T4UqkR+NDbP9vNq15QP59gAAS4QCABDlD5YAIk9IAgAJFPPY=
Date: Thu, 21 Jul 2022 06:09:18 +0000
Message-ID: <SY4PR01MB6251EF2BC97B06A0DD673EF0EE919@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <YswzrpCXx+IMjeYo@nmhq.net> <SY4PR01MB6251A6E61E56A33BB666B575EE879@SY4PR01MB6251.ausprd01.prod.outlook.com> <YsxIxNEjEauRzFsP@nmhq.net> <SY4PR01MB625137F3FE5F6324F7D143C8EE889@SY4PR01MB6251.ausprd01.prod.outlook.com> <YtcFyClwxfzMypdj@nmhq.net>
In-Reply-To: <YtcFyClwxfzMypdj@nmhq.net>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 31e30c1b-365b-437f-31ec-08da6adf8c2b
x-ms-traffictypediagnostic: SY3PR01MB1963:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: jea7tnEp1QlS6R8nQ6q1MZ3IcLhEPKaM3wqArAqUZpnQogG9ILV0DkTCCd19ILah+kYTOPTiH45NZ2UlFjITQ1KVz7XSo0NoBLwuyNUEOouGWE2CqFx/gjODwiNIX9huTtxtaccg89TTqT2MtBzn/0pcxqFd0P1Y5/jQpdILIExPIBxjzE/A80cCzTPHKwQqTC3RZk8IHlRO2X9uwDqRgWfCH9ahDjWWkXLTMcP5NRr6lf2W9tRgnLOH7tc1ZrAET1c9Vk/b2kj7I9aFsOkPyh53u2SoN/Lga13GYfrllB2HRQhZz7BS5b2eS13tnc2FK1uvLUIEOLfOHIC/hoBkWnKrVcI+knry8+LWZKiV8n3fR3wGd4lYbumr0TG1KwuhK+WFha4OxWDyyh0K1c0qrsVReu6ljVyX85v/jLhtsB/QSgQlDiszB7HLr6RXN6x3ttebJl84zduh8X9FZLiIJ/PJx8jtnCMBMhSvZ9EvECY05pNclgjXw7ahTkBeGtq33EtAuVEr4Z47k7oBEpURkIIkU1fcsFjmIco1WjDf/m3DnDkxc53E1br8fTA9DSoa8DtERiJWIzwwUECP3hKJu2KRRiyPnW/rwez7BPOLVjWJr4g+18eipcUekvvycC1GzmJfqXNvTCOuMfjTcqC5RaOoz1Yw1d8s5qp2kZXDyDfe2HcJzWVidGgPRWBUjxCBjBKNnpqAzPJC9sVdjqQdAylfZjhREkEp73WG+7rcBmvqbQVQO1qqHwnDNk6FVwlG4Zl0fM5L4f9kaUr6mZjxAswYTayGtRM/rK9CUNpuBYO4xwFz6eSx30AG4zLL3fU+
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(136003)(396003)(366004)(39860400002)(376002)(346002)(86362001)(8936002)(52536014)(5660300002)(38070700005)(55016003)(2906002)(186003)(122000001)(38100700002)(6506007)(9686003)(26005)(4744005)(7696005)(786003)(110136005)(41300700001)(71200400001)(478600001)(66556008)(66946007)(76116006)(316002)(8676002)(33656002)(64756008)(66476007)(66446008); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: PWZHn3vB6tNOBBhAw9VlwBQQI37qBhh22w18UU0d6dZzUWRm1GArYpKdHTNTexv8/8HBWVYC+HK1LxEQwsa5vIpLb1vwwmcrKZ2QGJxJfyaj4oDMzz8YeCviN4UO93JBnwBC6LaAceZaI3byAy8NChd8xGFj2JmCk9t+5rCsug2p0F91D80S0L3vHm5SOmmhefwTxf4IZEb+cvbhDolir8E7vqRCDkOWPmVR48S7Xsv7H5nu6pbtL/Ht7xNMP7N0i9/hzTygXIfrXmmQ/5xojMq8vvsuiDZvvJAAuDmAM143R1ucoZp+XpuonreZzv/AMcD7J254zoMp0SvOIM/0QHN+jUjIz6nJ0U3lLr6iPciTGTQLrqfK3kgYpO+r40FnMj3lszHRyoEywv2MaqwFz0xsc2JtROpAwgU86T2nD3TnFMKLGCBhrhHaPOQE55o210YbDJUANh69BOAAT082Gvd6RtgrDOIdhL3E+iwD31bIK2fzadfcaj3zahU2DCrwPYnfGQimM1w6z4trLtVILaAPwgB8W6vtLPtb/bBy/XJv9yY8es8TFM3+cVrNRmXVp9gRZQTXmZdPCJOx31Mqcys9mWs1lRM6iVi/MB7w/7W2IVARUSQjGGjiGChzB7juKDL0P1rFFXV4Q851nBSaNmvsYOITzO5+jJdEwvomlKY5Pp1gapvDeW/tNFTJQDCRHSYkadONtclBE/QrGOIxwbT1GAUfAFtADZpplfs1X/VYKHRxfhKllxn8dlJoRwTxq9QmxUr5V55b7iOiHixsgfA184Y5Jq/u09Apuwcq2NXh40QdyqCMQQjA1gIlU5R76vTFy8RtGjojUVjqOBMBgy4T1vZao1Emtu1nejRWgksUjpqoy43m9+YTQ05Aix4CkdfTJ2V/Yjgm2d38+9tkCysEnt+1UZekpZWJvUG1NXPG39S4fpXW/M9q5D3chHHq9h3/72f0K2rs5NQEToeZSbshtkYfidfMKr/OWBVJGUZGi/T1mGqso4ZfCcyczrOzvTBRFyjgXGxI7ZFtHfvrbtNY3I/P4DY2pji130LZuO32NSoigVNrKRTm6zYojzLYdOv6cgePop/Q5m2Ey9b3Y2/OxaL27oiUbuNefk4o+th0TFFrP0jJWHPmW08QdXi73hYDTbZtZzPb8kIaotabYLt1uzuw/ZJQVuoak+Q66K0IBnL/auVzL8RnO8aL9f4LSpExcqqnnCla2BKXVDRryHq9JODG0ciksXgZwGK8b0ILdgeKvyt5AncS3aSDJJ1j9CITeYdn2T6jGV3ULXbyCjmHoOnonBVpwwyjode18T+tT11bt7/T71AR8oPj8UYvuNujjrKAiKnmdhse4/UmbAufyQ5fYAC0ItSrzslvRmIXMVgcgec3kyXBs4uxUWZRQ9eBSzVYSQ+PD7pjrdFlT+IMzMrkTfbE7dFfcvmhNKlTISE1NIwHXhh88f8MNLWzveo6zrGcysLIeR+pKmf9QhjglLDMnfJ64DB4dIAow28fhWTNTvdh6f1Z3eiHtcqmoaTnkq64nZ7vaaU38mvpHa72v2cSfG4i1S0APcNagSYE5a2DohgYhTqvgIkh7y1O/+JBeaHnNMaGMH+M48hdkA==
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 31e30c1b-365b-437f-31ec-08da6adf8c2b
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jul 2022 06:09:18.8082 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: xJe8UjU/2KntmkYrsxwaol3wV/YOH8g6xLA7vO0k/Ka11LmozNIJKF3rZXcF5A4qiVFXfssyo62apHnP4xE0CZJKig/Lb8P90872alczqhs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY3PR01MB1963
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CAU17A13 smtp.mailfrom=pgut001@cs.auckland.ac.nz
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/IP9ZEX_A5U8Bh5A9PdWjPh9q-ns>
Subject: Re: [pkix] Critical certificate policies extension
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jul 2022 06:09:32 -0000

Niklas Matthies <pkix@nmhq.net> writes:

>But you don't have different sets of applicable extension-specific
>requirements depending on whether the extension is critical or not.

It certainly doesn't seem to be correct behaviour.  When something like this
crops up in code, particularly when it's been implemented as a configurable
option, it's often because some large customer asked for it and it was made
configurable because everyone else doesn't want it that way... does the US
Federal PKI or other government PKI require this behaviour?

Peter.

v2.23.0 | Report a Bug | By Email