IETF Logo Mail Archive

Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.

Piyush Jain <piyush@ditenity.com> Wed, 20 February 2013 16:13 UTC

Return-Path: <piyush@ditenity.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82F0721F8639 for <pkix@ietfa.amsl.com>; Wed, 20 Feb 2013 08:13:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E+aILKH3tE2m for <pkix@ietfa.amsl.com>; Wed, 20 Feb 2013 08:13:26 -0800 (PST)
Received: from mail-qa0-f46.google.com (mail-qa0-f46.google.com [209.85.216.46]) by ietfa.amsl.com (Postfix) with ESMTP id 9A0A321F8633 for <pkix@ietf.org>; Wed, 20 Feb 2013 08:13:26 -0800 (PST)
Received: by mail-qa0-f46.google.com with SMTP id o13so2489783qaj.19 for <pkix@ietf.org>; Wed, 20 Feb 2013 08:13:26 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=NSYi3L5nUNPE9BQ5rQ07SjmEpJoFSVPpDc6qm8ed4qE=; b=X2Q9+0rmm2nmcqwK1cxTPkTPm6WgrBQit4hXW2xeD+2qaYfy4WEyd2DjqClvWsn46d s9JjaEBXFnNsmiq/Qlbto+VZEOx0qtOTQ97ROFoJj3oCZEKdxG4b2MhW8Bv2Ut/hpVsn QXe/xi1+od98eOrJys+SpE0HKwUTOxx473w01O4luJ/Muu1JrUSJIVyw+hAdwsgGtjho BJWsYtmJVqn8yKKGiC1FgxyA14Y9cPJmtdPZToZJOslVnEwdWKyTzRcyRxndbIsuK8Uh TU6KsRitHZkrZCUJ59OyaBBYWLZwIcWI0JNm0gLumaDWXA5WFqad1xCCh/0F1T+XN8gS YVuQ==
MIME-Version: 1.0
X-Received: by 10.224.186.81 with SMTP id cr17mr9515634qab.99.1361376806068; Wed, 20 Feb 2013 08:13:26 -0800 (PST)
Received: by 10.49.14.34 with HTTP; Wed, 20 Feb 2013 08:13:25 -0800 (PST)
X-Originating-IP: [166.137.185.37]
Received: by 10.49.14.34 with HTTP; Wed, 20 Feb 2013 08:13:25 -0800 (PST)
In-Reply-To: <CD4AAC65.5B8D5%stefan@aaa-sec.com>
References: <5123E0C7.5020506@bbn.com> <CD4AAC65.5B8D5%stefan@aaa-sec.com>
Date: Wed, 20 Feb 2013 08:13:25 -0800
Message-ID: <CAP=4qKQ0FTSr0zHDERNjRXW19fn+g1iLWWXkZOWtxDfFYi9+rA@mail.gmail.com>
From: Piyush Jain <piyush@ditenity.com>
To: Stefan Santesson <stefan@aaa-sec.com>
Content-Type: multipart/alternative; boundary="485b397dcddbee60b404d62a3c19"
X-Gm-Message-State: ALoCoQmam89xZm8hyO3q4n7YsIyccKHLDKguavFsoaUAn/eV79nZ14fM3cedYEMBzrctKg8DdQGr
Cc: pkix <pkix@ietf.org>
Subject: Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2013 16:13:27 -0000

really?

implementers can choose to define another eku like extension with a
different OID. it does not break the standards and serves their need.
Their attitude will change only when their customers start complaining that
their products are cannot inter operate with others because they don't
follow the standards.
On Feb 20, 2013 7:46 AM, "Stefan Santesson" <stefan@aaa-sec.com> wrote:

> Steve,
>
> I don't make any statement in the context of right and wrong.
>
> I'm merely exploring the facts of the case.
>
> Another fact of the case is that implementers priority often put customer
> demands and what works first.
> This is done as far as possible by following standards, but if necessary,
> by stretching them and if necessary by breaking them.
>
> What can make those organisations change attitude is, I'm afraid, not a
> yard stick held up by a standards body.
>
> The present case is as far as I can see a complete deadlock.
> Nor ITU/ISO nor PKIX can change the meaning of EKU, neither can
> implementers do what they feel they need to do without breaking/stretching
> the standard.
>
> /Stefan
>
>
> On 2/19/13 9:29 PM, "Stephen Kent" <kent@bbn.com> wrote:
>
> >Denis,
> >
> >I agree with your analysis of the situation, as seconded by David Cooper.
> >
> >I think it unfortunate that Mozilla is advising folks to use EKU in a
> >fashion that is not supported
> >by X.509 or 5280. (Specifically, a compliant RP should not reject a
> >subordinate cert based on an EKU value
> >encountered in a CA cert higher in a cert path.)
> >
> >While I appreciate the desire to have this sort of transitive scoping
> >expressed via an EKU,
> >that extension, unlike some others in X.509/5280, does not offer this
> >feature.  It would be
> >preferable to define a nee extension, rather that misinterpret an
> >existing one.
> >
> >Sorry, Stefan, but just because MS earlier did this doesn't make it
> >right :-).
> >
> >Steve
> >
> >_______________________________________________
> >pkix mailing list
> >pkix@ietf.org
> >https://www.ietf.org/mailman/listinfo/pkix
>
>
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix
>

v2.23.0 | Report a Bug | By Email