IETF Logo Mail Archive

Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.

Erwann Abalea <eabalea@gmail.com> Wed, 20 February 2013 16:27 UTC

Return-Path: <eabalea@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7EAB21F8915 for <pkix@ietfa.amsl.com>; Wed, 20 Feb 2013 08:27:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.448
X-Spam-Level:
X-Spam-Status: No, score=-3.448 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id alY-Q98PU377 for <pkix@ietfa.amsl.com>; Wed, 20 Feb 2013 08:26:47 -0800 (PST)
Received: from mail-ve0-f181.google.com (mail-ve0-f181.google.com [209.85.128.181]) by ietfa.amsl.com (Postfix) with ESMTP id 5883121F86A1 for <pkix@ietf.org>; Wed, 20 Feb 2013 08:26:44 -0800 (PST)
Received: by mail-ve0-f181.google.com with SMTP id d10so7108834vea.12 for <pkix@ietf.org>; Wed, 20 Feb 2013 08:26:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=wXnTEYm6//InU7QIPVrK7jusqNDPN1QWzzRHX0GZ27E=; b=bC7uNdQpnspWRfd79l7w9zrf+yHf00qewL5R8BwYTnzD7s59zoZZLtmo34Wu+UUNp+ EcjK1NDbn8iBHxW/9mxebHNH7jqAN91dsdl/Wn1DGMEHibQ7h2JAkAqJ28FfC3/ReN7o bzulx+363X43T/kaBcfbCLxMWp3juSvXu3EfrklZjoXi77wdo/zyeGkxHlt1J3Hfie0G aZKHvcP/Tyqm4BfcBKl+HdskPiKvJHog8nFWNd8p0582SW2Lr7gwy9hLRRgIlcT1sQFD 8nGPE7d/ywbLnyq7MIIkDF1jROPhx4VQYnwfFSkO6kDuifLTN9Qe+2eJ4/fy8Bb6cFsK 9xXg==
MIME-Version: 1.0
X-Received: by 10.220.219.208 with SMTP id hv16mr11015149vcb.62.1361377597610; Wed, 20 Feb 2013 08:26:37 -0800 (PST)
Received: by 10.52.156.49 with HTTP; Wed, 20 Feb 2013 08:26:37 -0800 (PST)
In-Reply-To: <CAP=4qKQ0FTSr0zHDERNjRXW19fn+g1iLWWXkZOWtxDfFYi9+rA@mail.gmail.com>
References: <5123E0C7.5020506@bbn.com> <CD4AAC65.5B8D5%stefan@aaa-sec.com> <CAP=4qKQ0FTSr0zHDERNjRXW19fn+g1iLWWXkZOWtxDfFYi9+rA@mail.gmail.com>
Date: Wed, 20 Feb 2013 17:26:37 +0100
Message-ID: <CA+i=0E5Ak1uSRD4mixVNhoi1_m=AVt2f+gEs+-PdAcjzHVna8g@mail.gmail.com>
From: Erwann Abalea <eabalea@gmail.com>
To: Piyush Jain <piyush@ditenity.com>
Content-Type: multipart/alternative; boundary="14dae9cfce5e1c5c5d04d62a6cd0"
Cc: Stefan Santesson <stefan@aaa-sec.com>, pkix <pkix@ietf.org>
Subject: Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2013 16:27:00 -0000

2013/2/20 Piyush Jain <piyush@ditenity.com>

> really?
>
> implementers can choose to define another eku like extension with a
> different OID. it does not break the standards and serves their need.
> Their attitude will change only when their customers start complaining
> that their products are cannot inter operate with others because they don't
> follow the standards.
>
They can define their own extension, like MS ApplicationPolicy, or
NetscapeCertType.
They can also rely on CertificatePolicies (which they do for EV
certificates, and are starting to do for DV/OV).

-- 
Erwann.

v2.23.0 | Report a Bug | By Email