Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
Stefan Santesson <stefan@aaa-sec.com> Wed, 20 February 2013 19:22 UTC
Return-Path: <stefan@aaa-sec.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3391821F88C7 for <pkix@ietfa.amsl.com>; Wed, 20 Feb 2013 11:22:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.721
X-Spam-Level:
X-Spam-Status: No, score=-100.721 tagged_above=-999 required=5 tests=[AWL=-0.469, BAYES_00=-2.599, HELO_EQ_SE=0.35, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6, MIME_QP_LONG_LINE=1.396, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f5TzgY41PyBA for <pkix@ietfa.amsl.com>; Wed, 20 Feb 2013 11:22:49 -0800 (PST)
Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id 10AB121F8798 for <pkix@ietf.org>; Wed, 20 Feb 2013 11:22:48 -0800 (PST)
Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id CC39F4223A7 for <pkix@ietf.org>; Wed, 20 Feb 2013 20:22:46 +0100 (CET)
X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se
Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id NFNtFxXHOh_O for <pkix@ietf.org>; Wed, 20 Feb 2013 20:22:46 +0100 (CET)
Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 5981442235F for <pkix@ietf.org>; Wed, 20 Feb 2013 20:22:46 +0100 (CET)
Received: (qmail 79463 invoked from network); 20 Feb 2013 19:22:45 -0000
Received: from gw.aaa-sec.ideon.se (HELO [192.168.1.208]) (stefan@fiddler.nu@[85.235.7.89]) (envelope-sender <stefan@aaa-sec.com>) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for <pkix@ietf.org>; 20 Feb 2013 19:22:45 -0000
User-Agent: Microsoft-MacOutlook/14.3.1.130117
Date: Wed, 20 Feb 2013 20:22:43 +0100
From: Stefan Santesson <stefan@aaa-sec.com>
To: pkix <pkix@ietf.org>
Message-ID: <CD4ADDA3.5B99E%stefan@aaa-sec.com>
Thread-Topic: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
In-Reply-To: <CA+i=0E5Ak1uSRD4mixVNhoi1_m=AVt2f+gEs+-PdAcjzHVna8g@mail.gmail.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3444236566_8351895"
Subject: Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2013 19:22:50 -0000
Again I'm not here to defend MSFT, but I can shead some light about the rationale. Don't make the mistake to believe that this was done by ignorant people with no respect for standards. Nor assume that they were to lazy to come up with their own extension and such. This was introduced well over 10 years ago and I truly believe that the engineers at the time did their best and thought they did the right thing. They did try their own extension, but that is a rocky road. MSFT tried with ApplicationPolicy. But it didn't do the job. Presumably because no once cared to implement it besides Microsoft. Certificate policy does not work either. As we at that time discovered the hard way, certificate policy implementations are terribly broken. A huge amount of PKI:s put policies in CA certificates that has nothing to do with the constraining mechanism defined in X.509 and RFC 5280 path processing. As deployments as they are effectively prevents standards compliant path processing of policies, the result is that no one really checks policies as per 5280 path processing, and if they do, they don't use the resulting policy set for anything useful. As a result, no one discover their error and corrects it. And the problems goes on and on forever. /Stefan From: Erwann Abalea <eabalea@gmail.com> Date: Wednesday, February 20, 2013 5:26 PM To: Piyush Jain <piyush@ditenity.com> Cc: Stefan Santesson <stefan@aaa-sec.com>, pkix <pkix@ietf.org> Subject: Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1. > > 2013/2/20 Piyush Jain <piyush@ditenity.com> >> >> really? >> >> implementers can choose to define another eku like extension with a >> different OID. it does not break the standards and serves their need. >> Their attitude will change only when their customers start complaining that >> their products are cannot inter operate with others because they don't follow >> the standards. > > They can define their own extension, like MS ApplicationPolicy, or > NetscapeCertType. > They can also rely on CertificatePolicies (which they do for EV certificates, > and are starting to do for DV/OV). > > -- > Erwann. _______________________________________________ pkix mailing list > pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix
- [pkix] A non-compliant use of the EKU extension i… Denis Pinkas
- Re: [pkix] A non-compliant use of the EKU extensi… Erwann Abalea
- Re: [pkix] A non-compliant use of the EKU extensi… David A. Cooper
- Re: [pkix] A non-compliant use of the EKU extensi… Piyush Jain
- Re: [pkix] A non-compliant use of the EKU extensi… Stefan Santesson
- Re: [pkix] A non-compliant use of the EKU extensi… Stephen Kent
- Re: [pkix] A non-compliant use of the EKU extensi… Peter Gutmann
- Re: [pkix] A non-compliant use of the EKU extensi… Denis Pinkas
- Re: [pkix] A non-compliant use of the EKU extensi… Stephen Kent
- Re: [pkix] A non-compliant use of the EKU extensi… Piyush Jain
- Re: [pkix] A non-compliant use of the EKU extensi… Stefan Santesson
- Re: [pkix] A non-compliant use of the EKU extensi… Piyush Jain
- Re: [pkix] A non-compliant use of the EKU extensi… Santosh Chokhani
- Re: [pkix] A non-compliant use of the EKU extensi… Erwann Abalea
- Re: [pkix] A non-compliant use of the EKU extensi… Dr Stephen Henson
- Re: [pkix] A non-compliant use of the EKU extensi… Martin Rex
- Re: [pkix] A non-compliant use of the EKU extensi… Michael StJohns
- Re: [pkix] A non-compliant use of the EKU extensi… Michael StJohns
- Re: [pkix] A non-compliant use of the EKU extensi… Henry B. Hotz
- Re: [pkix] A non-compliant use of the EKU extensi… Stefan Santesson
- Re: [pkix] A non-compliant use of the EKU extensi… Peter Gutmann
- Re: [pkix] A non-compliant use of the EKU extensi… Peter Gutmann
- Re: [pkix] A non-compliant use of the EKU extensi… Yoav Nir
- Re: [pkix] A non-compliant use of the EKU extensi… Erwann Abalea
- Re: [pkix] A non-compliant use of the EKU extensi… Stefan Santesson
- Re: [pkix] A non-compliant use of the EKU extensi… Peter Sylvester
- Re: [pkix] A non-compliant use of the EKU extensi… Piyush Jain
- [pkix] Agenda items for PKIX in Orlando Stefan Santesson
- Re: [pkix] A non-compliant use of the EKU extensi… Stephen Kent
- [pkix] PKIX WG's (lack of) agility to adopt missi… Martin Rex