Re: [pkix] Critical certificate policies extension
Peter Gutmann <pgut001@cs.auckland.ac.nz> Mon, 11 July 2022 14:52 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DD1AC16ECB5 for <pkix@ietfa.amsl.com>; Mon, 11 Jul 2022 07:52:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BZVGthYra3-H for <pkix@ietfa.amsl.com>; Mon, 11 Jul 2022 07:52:55 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.21.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D821EC18870C for <pkix@ietf.org>; Mon, 11 Jul 2022 07:52:45 -0700 (PDT)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01lp2173.outbound.protection.outlook.com [104.47.71.173]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id au-mta-107-7VDseOgMNPOL0uyqidHMqw-1; Tue, 12 Jul 2022 00:52:41 +1000
X-MC-Unique: 7VDseOgMNPOL0uyqidHMqw-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by SY4PR01MB6703.ausprd01.prod.outlook.com (2603:10c6:10:136::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5417.15; Mon, 11 Jul 2022 14:52:40 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::64d6:2532:7a7e:561d]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::64d6:2532:7a7e:561d%6]) with mapi id 15.20.5417.026; Mon, 11 Jul 2022 14:52:40 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Niklas Matthies <pkix@nmhq.net>, "pkix@ietf.org" <pkix@ietf.org>
Thread-Topic: [pkix] Critical certificate policies extension
Thread-Index: AQHYlTKj67xjOc4T4UqkR+NDbP9vNq15QP59
Date: Mon, 11 Jul 2022 14:52:40 +0000
Message-ID: <SY4PR01MB6251A6E61E56A33BB666B575EE879@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <YswzrpCXx+IMjeYo@nmhq.net>
In-Reply-To: <YswzrpCXx+IMjeYo@nmhq.net>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4ef4c022-9826-49b2-010d-08da634d00ad
x-ms-traffictypediagnostic: SY4PR01MB6703:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: nHYyGok4XV9LOIzbr80yPwh8o//pmLHQSfOKVkVhiTYnWACPIq4AoJQFfn8gzvVyIRXCz86umTX7giJM8E8AXuJF0Jg2kS9U4ahVQBjYOdZBp6BqzpM0KvTkQws23bwt3nwjOE1lcX991UNvyS2/Gs2+wzWfXyesOwv03gVBnuGbSig9U0nX8KTN54S7zsPu1e0DuiiVUu3UQPw5fRH1MndwBhSojjYJ8acfEFSY6CyooHgpkmAk5M0iCwSMOBuSQjG5/5B73NshhTgwVZS6Lfugh9lyPUcfhB1/xTeWnNERZ5e4pCNSkPgUfKSKKF8iyJNqtXi9+DzsZCie2NrPmc3uVZZLzHj+XFqXoGE6JshBqP7WWNOtmASMmQsKGZszPCPQqWcARC0wE+kTBOHU1AH8Sv6XqOlzUot2Sd6dV4jE6qDZK5GgsrfgEIveL9fSjfjgxi67o28d0N3PoOQiNaGnJphW7dsAyQzpns1FvPhhjXwfOMkA+FMFMbXk2sWY9zXYFP7fYEQ64IFUTkOORrrklCIYSd2IzVyvGzmF6bSptHWuSpWZRdulMzdUsFiMmVyiRpTZNYMRXaDyqelRC1Ky/xX0XF1B2qCH5YYba2eFdmALZDASrraCCkykWma79UTlCK+hW7ijvIwM4HHzIR3fvI0Ia9gZMF6zgpy322LMc8xwQ/g+S/3BUQEDQ9PWqCItNQ1QhRqX3euOdt+j7j4EdVUmxmhYYM2sUW74xZr7z+3E/T4E0DvVPi6w3/rF9dQ44SiIiuLYjvTvPtcmvLgyiuDevLfdTVgs0bvmV6BKBe3FAl5qycPsuObaMej4
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(39860400002)(396003)(376002)(346002)(366004)(136003)(26005)(5660300002)(9686003)(6506007)(7696005)(38070700005)(786003)(478600001)(316002)(33656002)(41300700001)(110136005)(71200400001)(86362001)(64756008)(66446008)(186003)(66946007)(66556008)(8676002)(76116006)(66476007)(83380400001)(38100700002)(8936002)(52536014)(2906002)(122000001)(55016003); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: iArv0uJeXsx4fqr+2+B1Xg9/aBE1nUMjoacJzaVBPETprxkBucFc6RIvINXXmMT9zGpcKUjDeQqZ4+PxRFBBPE6XR8NmCUjpzSR2qj65xjcYSZTnbooBUcwxjydcihrskfQfKX1cZTlbDodZX5GsPiXhOqyoh8w4N4dNgtXDrwR+Tl601SiDayJIS/cd/wDE+Tx7zxXBASweqRkoz4NNrK1/No1dwrbpNv7XpnM144/mCzntFO8p+EkYdRUJ9zJwD3UrCQZLecuRgkqcjIIlijF5vXcPKX20u0UR1xWH9wRLixqy3M9ua5BaSPUHZjyUKfDUpgWd6RxAEx024voEwN1DC0ehCPL7QRwc5uLTQCMYvjPggv+sxCiNMqSwmSmVJ5JGPKuv6qDuSR1bMGKrrTPU/2uc1LCW6mu48o+SatB7+9DG9wUZROQpArxUhAb8CB4I6kcUOZXjo7WHZFP80RkQS5SRiSFJdmAE524d9KZ0LARfy3VkvTub8okZn7lJjfuyG7/Z9iMTVGJhTQ6jnCpwInJQUEgGbGmszPgFcVZkB7TD8AjiJbisTaw9WQt8pxTXf4s/sTrIgr+8DjgIiFKLDE1XpX4p6TZI2rP3F8SEh2Jpcr0gW0AZzzFhUR6HeZgqMz2mKxlcTaf4X7FfBVSKVTkMCcsfATXjBkMyKmt0yKKAe6tTM7aHn7mu5ZeriAzarxiwuO5SrDvn/iu0EHDGQU84uSToby8fUwWpaWjt1zV3N0y8MopA1elZN6fBkAV5jl3eBmhlokFl4vNrlKu0r3HWXqbZwkIodgC9c/AtQfGgenJ0cLL26GrtCNTU41D03A1JvxogAwW/HNe6lmTmIEVkt/phGk7CBu+0TiyWir3IqSnKbDzlCVBaea3NtXw2VftY8++BHl4c0XyKpLjwjqcJPkAR8vqsM8CjW6iuxPGYj9kzseG5MbAgADIooboY8rD+j8pnQ5c8AaRji+s/TvDbSIDz35WAyBI1bZ2LM//pWOmXkdzL/6k8PmBjD1XF9o4ezCTv6YfhRoHZsRr8INXXb4/RWOB+j/DPgKu+vgthyWCfil9p8Q2mq/rzEKl4jG+uuU/dPceZEVVcACWv4AkFHDNpMYVz6bF7F5y9kKlQ7ieHL+BGvulWuK9mf+U0TjhPb7pqKsLzJop9q+LUnp7hpsQRgJIbgNSRU8wGFsh7lObXlWGhIZuVu54haNpwKF0e+JP7BcPsu/tzYe9bNMU7a+7ookXr+ycda1gTjOiclS4pRZNAvEjW//munkDpo321Nv79qOh6Z1Cbm7Tatv0QyxdioYZpM8JUueqzkBePVML0iBcZxPFR3gpbpmCiMm8SCjz9PzZrBMdoWaatKEazz8sv/Hrkx97nJQf5kDC2h5BsaNuef1kj5Ep//3hYOiGbFlM+uD7YauECAMVojgLWlze2P6vS006/9gP07+VwAP6Q6Fc1SpnG0Sq/3uAqzUpTv1ArsRFhY4ElF0OTUKE370ca8w1wqdkjtgRrzL+9OdEEhlk405OtyxFKHL2sMuu45EZ68PmiWM7BWh17nLA3UPOfYLcQujQSfO1yp2OWADgyAe4/sBp5/O/hI89/jwHcJQ25LIAXhI8D1w==
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4ef4c022-9826-49b2-010d-08da634d00ad
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jul 2022 14:52:40.0847 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ZN13Kk4j6oQP+gAGlES0ry883WUy+AEuF/uc8993n+wbRbaMB5O/CkuunA5Bpvm7bnV5xpZz6EYhAUZEx9wXB/9d0p7WIxjZ3V51RehDHkw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY4PR01MB6703
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/jZveO3BjR8my4Hp9fBWon4lqRo0>
Subject: Re: [pkix] Critical certificate policies extension
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jul 2022 14:52:56 -0000
Niklas Matthies <pkix@nmhq.net> writes: >The reason I'm asking is that the Java path building and validation >implementation (formerly by Sun/Oracle, now OpenJDK) by default rejects >certificates with a critical certificate policies extension if it contain any >qualifiers [1] ... and if the implementation has been configured to do so via the rejectPolicyQualifiers flag. So it's doing what the user asked it to do. >despite the RFC explicitly stating for the former that "No action is mandated >by this specification regardless of the criticality value asserted for the >extension"), That sentence is preceded by "Processing requirements for this qualifier are a local matter", so it's saying "what you do with this is up to you, we're not going to mandate anything". So this part makes sense too. >1. Does that Java behavior make any sense? Seems to. >2. What would be the correct behavior for unknown policy OIDs without >qualifiers, or with only CPSuri and/or UserNotice qualifiers? This was one of the many parts of the standard that, when it was originally discussed, no two people could agree on, see e.g. the thread "Dave's Critical Proposal" from 1997. There were many more like that. So probably the best behaviour is "try and be consistent, and document what you do somewhere". Peter.
- [pkix] Critical certificate policies extension Niklas Matthies
- Re: [pkix] Critical certificate policies extension Peter Gutmann
- Re: [pkix] Critical certificate policies extension Santosh Chokhani
- Re: [pkix] Critical certificate policies extension Niklas Matthies
- Re: [pkix] Critical certificate policies extension Carl Wallace
- Re: [pkix] Critical certificate policies extension swilson
- Re: [pkix] Critical certificate policies extension Niklas Matthies
- Re: [pkix] Critical certificate policies extension Niklas Matthies
- Re: [pkix] Critical certificate policies extension Todd E. Johnson
- Re: [pkix] Critical certificate policies extension Peter Gutmann
- Re: [pkix] Critical certificate policies extension Niklas Matthies
- Re: [pkix] Critical certificate policies extension Peter Gutmann