W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

Re: self-signed

From: Nathan <nathan@webr3.org>
Date: Thu, 14 Apr 2011 00:44:54 +0100
Message-ID: <4DA63576.6080200@webr3.org>
To: Joe Presbrey <presbrey@gmail.com>
CC: Henry Story <henry.story@bblfish.net>, WebID XG <public-xg-webid@w3.org>, Joerg Anders <jan@informatik.tu-chemnitz.de>
For any wondering, the specifications are quite strong on this:

A certificate-using system MUST reject the certificate if it encounters 
a critical extension it does not recognize or a critical extension that 
contains information that it cannot process. A non-critical extension 
MAY be ignored if it is not recognized, but MUST be processed if it is 

So either clerezza is very clever and can process all the extensions you 
marked as critical, or contains a bug in that it doesn't process them 
all and instead ignores that MUST from the specification.

Either way, I believe this is a gotcha worth noting, perhaps even as a 
"Note:" in the WebID spec.



Joe Presbrey wrote:
> Hans X509 extensions should not be marked critical (should be marked
> 'not critical'). See my extensions listing below for the distinction:
>         X509v3 extensions:
>             X509v3 Subject Alternative Name:
>                 URI:http://presbrey.mit.edu/foaf#presbrey
>             X509v3 Subject Key Identifier:
>                 CD:16:4C:A8:DC:78:5C:45:33:1B:7C:71:46:0F:70:FF:0D:1E:FE:D5
>             X509v3 Basic Constraints:
>                 CA:FALSE
> On Wed, Apr 13, 2011 at 5:47 PM, Henry Story <henry.story@bblfish.net> wrote:
>>        X509v3 extensions:
>>            Netscape Cert Type: critical
>>                SSL Client, S/MIME, Object Signing
>>            X509v3 Subject Alternative Name: critical
>>                email:ba.obma@vodafone.de, URI:http://foaf.me/Hans#me
>>            X509v3 Subject Key Identifier: critical
>>                58:92:81:B9:80:08:6F:6F:C9:65:D7:2E:70:D5:D8:D8:DC:28:3F:47
>>            X509v3 Extended Key Usage: critical
>>                TLS Web Client Authentication, Code Signing, E-mail Protection
>>            X509v3 Key Usage: critical
>>                Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
>>            X509v3 Basic Constraints: critical
>>                CA:FALSE
Received on Wednesday, 13 April 2011 23:45:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:44 UTC