IETF Logo Mail Archive

Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.

Stefan Santesson <stefan@aaa-sec.com> Wed, 20 February 2013 19:22 UTC

Return-Path: <stefan@aaa-sec.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3391821F88C7 for <pkix@ietfa.amsl.com>; Wed, 20 Feb 2013 11:22:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.721
X-Spam-Level:
X-Spam-Status: No, score=-100.721 tagged_above=-999 required=5 tests=[AWL=-0.469, BAYES_00=-2.599, HELO_EQ_SE=0.35, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6, MIME_QP_LONG_LINE=1.396, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f5TzgY41PyBA for <pkix@ietfa.amsl.com>; Wed, 20 Feb 2013 11:22:49 -0800 (PST)
Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id 10AB121F8798 for <pkix@ietf.org>; Wed, 20 Feb 2013 11:22:48 -0800 (PST)
Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id CC39F4223A7 for <pkix@ietf.org>; Wed, 20 Feb 2013 20:22:46 +0100 (CET)
X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se
Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id NFNtFxXHOh_O for <pkix@ietf.org>; Wed, 20 Feb 2013 20:22:46 +0100 (CET)
Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 5981442235F for <pkix@ietf.org>; Wed, 20 Feb 2013 20:22:46 +0100 (CET)
Received: (qmail 79463 invoked from network); 20 Feb 2013 19:22:45 -0000
Received: from gw.aaa-sec.ideon.se (HELO [192.168.1.208]) (stefan@fiddler.nu@[85.235.7.89]) (envelope-sender <stefan@aaa-sec.com>) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for <pkix@ietf.org>; 20 Feb 2013 19:22:45 -0000
User-Agent: Microsoft-MacOutlook/14.3.1.130117
Date: Wed, 20 Feb 2013 20:22:43 +0100
From: Stefan Santesson <stefan@aaa-sec.com>
To: pkix <pkix@ietf.org>
Message-ID: <CD4ADDA3.5B99E%stefan@aaa-sec.com>
Thread-Topic: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
In-Reply-To: <CA+i=0E5Ak1uSRD4mixVNhoi1_m=AVt2f+gEs+-PdAcjzHVna8g@mail.gmail.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3444236566_8351895"
Subject: Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2013 19:22:50 -0000

Again I'm not here to defend MSFT, but I can shead some light about the
rationale.

Don't make the mistake to believe that this was done by ignorant people with
no respect for standards.
Nor assume that they were to lazy to come up with their own extension and
such.

This was introduced well over 10 years ago and I truly believe that the
engineers at the time did their best and thought they did the right thing.
They did try their own extension, but that is a rocky road. MSFT tried with
ApplicationPolicy. But it didn't do the job. Presumably because no once
cared to implement it besides Microsoft.
Certificate policy does not work either. As we at that time discovered the
hard way, certificate policy implementations are terribly broken.
A huge amount of PKI:s put policies in CA certificates that has nothing to
do with the constraining mechanism defined in X.509 and RFC 5280 path
processing.

As deployments as they are effectively prevents standards compliant path
processing of policies, the result is that no one really checks policies as
per 5280 path processing, and if they do, they don't use the resulting
policy set for anything useful.
As a result, no one discover their error and corrects it. And the problems
goes on and on forever.

/Stefan


From:  Erwann Abalea <eabalea@gmail.com>
Date:  Wednesday, February 20, 2013 5:26 PM
To:  Piyush Jain <piyush@ditenity.com>
Cc:  Stefan Santesson <stefan@aaa-sec.com>, pkix <pkix@ietf.org>
Subject:  Re: [pkix] A non-compliant use of the EKU extension in Mozilla's
CA Certificate Policy Version 2.1.

> 
> 2013/2/20 Piyush Jain <piyush@ditenity.com>
>> 
>> really?
>> 
>>  implementers can choose to define another eku like extension with a
>> different OID. it does not break the standards and serves their need.
>> Their attitude will change only when their customers start complaining that
>> their products are cannot inter operate with others because they don't follow
>> the standards.
> 
> They can define their own extension, like MS ApplicationPolicy, or
> NetscapeCertType.
> They can also rely on CertificatePolicies (which they do for EV certificates,
> and are starting to do for DV/OV).
> 
> -- 
> Erwann. _______________________________________________ pkix mailing list
> pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix

v2.23.0 | Report a Bug | By Email