IETF Logo Mail Archive

Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.

Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 20 February 2013 23:53 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36F2621E8030 for <pkix@ietfa.amsl.com>; Wed, 20 Feb 2013 15:53:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.425
X-Spam-Level:
X-Spam-Status: No, score=-2.425 tagged_above=-999 required=5 tests=[AWL=0.174, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zV7ehUohAcvW for <pkix@ietfa.amsl.com>; Wed, 20 Feb 2013 15:53:31 -0800 (PST)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.244]) by ietfa.amsl.com (Postfix) with ESMTP id 1FD7521F86EC for <pkix@ietf.org>; Wed, 20 Feb 2013 15:53:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1361404410; x=1392940410; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=zZDKKo4WZwxyto2BzvoSF5Pwka/hQoqqqQBMk0TS/+c=; b=gaTbJ6AtcUSw/oNex3nBku41Gb3v2aYBiE6YsyzuBX2rLrcykbyWmEZy HtVBYSmuEK6RTg7k3Vd+mIqJSKhNdCGPBhxkJRVzRtbpv1hu7jufArFf9 liy8Kt3EpVcyWb3HpM5HttrAUOmqDuPARmGqO7P1cncwuHzrkkSBIE+IE c=;
X-IronPort-AV: E=Sophos;i="4.84,705,1355050800"; d="scan'208";a="171427506"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.106 - Outgoing - Outgoing
Received: from uxchange10-fe2.uoa.auckland.ac.nz ([130.216.4.106]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 21 Feb 2013 12:53:20 +1300
Received: from UXCN10-2.UoA.auckland.ac.nz ([169.254.2.108]) by uxchange10-fe2.UoA.auckland.ac.nz ([130.216.4.106]) with mapi id 14.02.0318.004; Thu, 21 Feb 2013 12:53:19 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: IETF PKIX <pkix@ietf.org>
Thread-Topic: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
Thread-Index: Ac4PxXWooc8wkjG9QW61eQS2vZ/m2w==
Date: Wed, 20 Feb 2013 23:53:19 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C733340EFFC@uxcn10-2.UoA.auckland.ac.nz>
Accept-Language: en-GB, en-NZ, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2013 23:53:32 -0000

Denis Pinkas <denis.pinkas@bull.net> writes:

>I believe that you are missing a point in the standardization process: once
>an OID has been defined, its semantics CANNOT be changed.

So this means almost every bit of text since RFC 2459 is invalid or illegal or
whatever happens when you change the semantics of an OID?  There are OIDs for
all sorts of things in there that have been modified and adapted in every RFC
since then.

>Thus the reality is not the one you describe, but the fact that large
>companies are ignoring standards and it is time to let them understand that
>the software they provide is not compliant with the standards.

Lest the hand of God come down and smite them, because we all know how
seriously God takes standards.

Peter.

v2.23.0 | Report a Bug | By Email