W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

Re: self-signed

From: Nathan <nathan@webr3.org>
Date: Thu, 14 Apr 2011 00:44:54 +0100
Message-ID: <4DA63576.6080200@webr3.org>
To: Joe Presbrey <presbrey@gmail.com>
CC: Henry Story <henry.story@bblfish.net>, WebID XG <public-xg-webid@w3.org>, Joerg Anders <jan@informatik.tu-chemnitz.de>
For any wondering, the specifications are quite strong on this:

[[
A certificate-using system MUST reject the certificate if it encounters 
a critical extension it does not recognize or a critical extension that 
contains information that it cannot process. A non-critical extension 
MAY be ignored if it is not recognized, but MUST be processed if it is 
recognized.
]]

So either clerezza is very clever and can process all the extensions you 
marked as critical, or contains a bug in that it doesn't process them 
all and instead ignores that MUST from the specification.

Either way, I believe this is a gotcha worth noting, perhaps even as a 
"Note:" in the WebID spec.

Best,

Nathan

Joe Presbrey wrote:
> Hans X509 extensions should not be marked critical (should be marked
> 'not critical'). See my extensions listing below for the distinction:
> 
>         X509v3 extensions:
>             X509v3 Subject Alternative Name:
>                 URI:http://presbrey.mit.edu/foaf#presbrey
>             X509v3 Subject Key Identifier:
>                 CD:16:4C:A8:DC:78:5C:45:33:1B:7C:71:46:0F:70:FF:0D:1E:FE:D5
>             X509v3 Basic Constraints:
>                 CA:FALSE
> 
> On Wed, Apr 13, 2011 at 5:47 PM, Henry Story <henry.story@bblfish.net> wrote:
>>        X509v3 extensions:
>>            Netscape Cert Type: critical
>>                SSL Client, S/MIME, Object Signing
>>            X509v3 Subject Alternative Name: critical
>>                email:ba.obma@vodafone.de, URI:http://foaf.me/Hans#me
>>            X509v3 Subject Key Identifier: critical
>>                58:92:81:B9:80:08:6F:6F:C9:65:D7:2E:70:D5:D8:D8:DC:28:3F:47
>>            X509v3 Extended Key Usage: critical
>>                TLS Web Client Authentication, Code Signing, E-mail Protection
>>            X509v3 Key Usage: critical
>>                Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
>>            X509v3 Basic Constraints: critical
>>                CA:FALSE
> 
> 
Received on Wednesday, 13 April 2011 23:45:51 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:24 UTC