IETF Logo Mail Archive

Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.

Santosh Chokhani <SChokhani@cygnacom.com> Wed, 20 February 2013 16:17 UTC

Return-Path: <SChokhani@cygnacom.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A30821F863F for <pkix@ietfa.amsl.com>; Wed, 20 Feb 2013 08:17:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yCNGx9d+y6Rn for <pkix@ietfa.amsl.com>; Wed, 20 Feb 2013 08:17:28 -0800 (PST)
Received: from ipedge1.cygnacom.com (ipedge1.cygnacom.com [216.191.252.12]) by ietfa.amsl.com (Postfix) with ESMTP id B94BA21F8881 for <pkix@ietf.org>; Wed, 20 Feb 2013 08:17:27 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.84,702,1355115600"; d="scan'208,217";a="7895162"
Received: from unknown (HELO scygexch7.cygnacom.com) ([10.4.60.22]) by ipedge1.cygnacom.com with ESMTP; 20 Feb 2013 11:17:25 -0500
Received: from scygexch7.cygnacom.com ([::1]) by scygexch7.cygnacom.com ([::1]) with mapi; Wed, 20 Feb 2013 11:15:14 -0500
From: Santosh Chokhani <SChokhani@cygnacom.com>
To: Piyush Jain <piyush@ditenity.com>, Stefan Santesson <stefan@aaa-sec.com>
Date: Wed, 20 Feb 2013 11:15:12 -0500
Thread-Topic: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
Thread-Index: Ac4PhTq4xcbtrLZgSrK4Yz2GzlLbFAAACdvw
Message-ID: <B83745DA469B7847811819C5005244AFF3DC903F@scygexch7.cygnacom.com>
References: <5123E0C7.5020506@bbn.com> <CD4AAC65.5B8D5%stefan@aaa-sec.com> <CAP=4qKQ0FTSr0zHDERNjRXW19fn+g1iLWWXkZOWtxDfFYi9+rA@mail.gmail.com>
In-Reply-To: <CAP=4qKQ0FTSr0zHDERNjRXW19fn+g1iLWWXkZOWtxDfFYi9+rA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_B83745DA469B7847811819C5005244AFF3DC903Fscygexch7cygnac_"
MIME-Version: 1.0
Cc: pkix <pkix@ietf.org>
Subject: Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2013 16:17:30 -0000

Actually MSFT has (or had it).  It  is (was) "application policies.

From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Piyush Jain
Sent: Wednesday, February 20, 2013 11:13 AM
To: Stefan Santesson
Cc: pkix
Subject: Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.


really?

implementers can choose to define another eku like extension with a different OID. it does not break the standards and serves their need.
Their attitude will change only when their customers start complaining that their products are cannot inter operate with others because they don't follow the standards.
On Feb 20, 2013 7:46 AM, "Stefan Santesson" <stefan@aaa-sec.com<mailto:stefan@aaa-sec.com>> wrote:
Steve,

I don't make any statement in the context of right and wrong.

I'm merely exploring the facts of the case.

Another fact of the case is that implementers priority often put customer
demands and what works first.
This is done as far as possible by following standards, but if necessary,
by stretching them and if necessary by breaking them.

What can make those organisations change attitude is, I'm afraid, not a
yard stick held up by a standards body.

The present case is as far as I can see a complete deadlock.
Nor ITU/ISO nor PKIX can change the meaning of EKU, neither can
implementers do what they feel they need to do without breaking/stretching
the standard.

/Stefan


On 2/19/13 9:29 PM, "Stephen Kent" <kent@bbn.com<mailto:kent@bbn.com>> wrote:

>Denis,
>
>I agree with your analysis of the situation, as seconded by David Cooper.
>
>I think it unfortunate that Mozilla is advising folks to use EKU in a
>fashion that is not supported
>by X.509 or 5280. (Specifically, a compliant RP should not reject a
>subordinate cert based on an EKU value
>encountered in a CA cert higher in a cert path.)
>
>While I appreciate the desire to have this sort of transitive scoping
>expressed via an EKU,
>that extension, unlike some others in X.509/5280, does not offer this
>feature.  It would be
>preferable to define a nee extension, rather that misinterpret an
>existing one.
>
>Sorry, Stefan, but just because MS earlier did this doesn't make it
>right :-).
>
>Steve
>
>_______________________________________________
>pkix mailing list
>pkix@ietf.org<mailto:pkix@ietf.org>
>https://www.ietf.org/mailman/listinfo/pkix


_______________________________________________
pkix mailing list
pkix@ietf.org<mailto:pkix@ietf.org>
https://www.ietf.org/mailman/listinfo/pkix

v2.23.0 | Report a Bug | By Email