IETF Logo Mail Archive

Re: [TLS] Certificate validation can of worms

Santosh Chokhani <SChokhani@cygnacom.com> Wed, 09 April 2014 15:26 UTC

Return-Path: <SChokhani@cygnacom.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DEDA1A030F for <tls@ietfa.amsl.com>; Wed, 9 Apr 2014 08:26:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.173
X-Spam-Level:
X-Spam-Status: No, score=-2.173 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xOAjm6Giz3FV for <tls@ietfa.amsl.com>; Wed, 9 Apr 2014 08:26:38 -0700 (PDT)
Received: from ipedge1.cygnacom.com (ipedge1.cygnacom.com [216.191.252.12]) by ietfa.amsl.com (Postfix) with ESMTP id 3FB661A02AA for <tls@ietf.org>; Wed, 9 Apr 2014 08:26:38 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.97,826,1389762000"; d="scan'208";a="2572577"
Received: from unknown (HELO scygexch10.cygnacom.com) ([10.4.60.26]) by ipedge1.cygnacom.com with ESMTP; 09 Apr 2014 11:26:37 -0400
Received: from SCYGEXCH10.cygnacom.com ([::1]) by scygexch10.cygnacom.com ([::1]) with mapi id 14.02.0247.003; Wed, 9 Apr 2014 11:26:37 -0400
From: Santosh Chokhani <SChokhani@cygnacom.com>
To: "mrex@sap.com" <mrex@sap.com>
Thread-Topic: [TLS] Certificate validation can of worms
Thread-Index: AQHPUG9nRS10t5Ha0EyLKsoi0FgTh5sG4JsA///FM+CAAE2tgIABHNfAgABnzACAAPY3QA==
Date: Wed, 09 Apr 2014 15:26:36 +0000
Message-ID: <4262AC0DB9856847A2D00EF817E811391794FB@scygexch10.cygnacom.com>
References: <4262AC0DB9856847A2D00EF817E81139178FE7@scygexch10.cygnacom.com> <20140408204150.9505B1ACB3@ld9781.wdf.sap.corp>
In-Reply-To: <20140408204150.9505B1ACB3@ld9781.wdf.sap.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.60.117.6]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/1Qis2MvkseZWrTosIha_3lY0SjQ
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Certificate validation can of worms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Apr 2014 15:26:42 -0000

Martin,

You are misreading this.  This is talking about things such as must be critical.  For example, 5280 requires some extensions to be critical.  Some of the path validation software was checking if the extension was marked critical or not and then was throwing an error if not marked critical.  There is no need for that.  CA has already produced an object.  The consumer understands the extension and should go ahead and process it.  CA having not set it critical does not and should not make a difference.

-----Original Message-----
From: Martin Rex [mailto:mrex@sap.com] 
Sent: Tuesday, April 08, 2014 4:42 PM
To: Santosh Chokhani
Cc: mrex@sap.com; Watson Ladd; tls@ietf.org
Subject: Re: [TLS] Certificate validation can of worms

Santosh Chokhani wrote:
> 
> The EKU is generally only applies to the leaf certificate (per X.509 
> and RFC 5280) and is not involved in path processing.
> I would think that if EKU is present at least a browser application 
> will ensure that the certificate has server auth OID.

There is one central statement in rfc5280/PKIX that you seem to be unaware of:

https://tools.ietf.org/html/rfc5280#section-6.1

   Therefore, the algorithm only includes checks to verify that the
   certification path is valid according to X.509 and does not include
   checks to verify that the certificates and CRLs conform to this
   profile.  While the algorithm could be extended to include checks for
   conformance to the profiles in Sections 4 and 5, this profile
   RECOMMENDS against including such checks.


Whit this  "this profile RECOMMENDS against including such checks"
says explicitly to an TLS implementor: you SHOULD NOT implement any conformance checks to stuff that is described in section 4 & 5 of this document.  (so you do not have to read, let alone understand what all the stuff in that part of the document means).



-Martin

v2.23.0 | Report a Bug | By Email