- From: Nathan <nathan@webr3.org>
- Date: Thu, 14 Apr 2011 00:44:54 +0100
- To: Joe Presbrey <presbrey@gmail.com>
- CC: Henry Story <henry.story@bblfish.net>, WebID XG <public-xg-webid@w3.org>, Joerg Anders <jan@informatik.tu-chemnitz.de>
For any wondering, the specifications are quite strong on this: [[ A certificate-using system MUST reject the certificate if it encounters a critical extension it does not recognize or a critical extension that contains information that it cannot process. A non-critical extension MAY be ignored if it is not recognized, but MUST be processed if it is recognized. ]] So either clerezza is very clever and can process all the extensions you marked as critical, or contains a bug in that it doesn't process them all and instead ignores that MUST from the specification. Either way, I believe this is a gotcha worth noting, perhaps even as a "Note:" in the WebID spec. Best, Nathan Joe Presbrey wrote: > Hans X509 extensions should not be marked critical (should be marked > 'not critical'). See my extensions listing below for the distinction: > > X509v3 extensions: > X509v3 Subject Alternative Name: > URI:http://presbrey.mit.edu/foaf#presbrey > X509v3 Subject Key Identifier: > CD:16:4C:A8:DC:78:5C:45:33:1B:7C:71:46:0F:70:FF:0D:1E:FE:D5 > X509v3 Basic Constraints: > CA:FALSE > > On Wed, Apr 13, 2011 at 5:47 PM, Henry Story <henry.story@bblfish.net> wrote: >> X509v3 extensions: >> Netscape Cert Type: critical >> SSL Client, S/MIME, Object Signing >> X509v3 Subject Alternative Name: critical >> email:ba.obma@vodafone.de, URI:http://foaf.me/Hans#me >> X509v3 Subject Key Identifier: critical >> 58:92:81:B9:80:08:6F:6F:C9:65:D7:2E:70:D5:D8:D8:DC:28:3F:47 >> X509v3 Extended Key Usage: critical >> TLS Web Client Authentication, Code Signing, E-mail Protection >> X509v3 Key Usage: critical >> Digital Signature, Key Encipherment, Data Encipherment, Key Agreement >> X509v3 Basic Constraints: critical >> CA:FALSE > >
Received on Wednesday, 13 April 2011 23:45:51 UTC