Re: self-signed from Henry Story on 2011-04-14 (public-xg-webid@w3.org from April 2011)

From: Henry Story <henry.story@bblfish.net>
Date: Thu, 14 Apr 2011 08:18:56 +0200
To: Joe Presbrey <presbrey@gmail.com>
Cc: WebID XG <public-xg-webid@w3.org>, Joerg Anders <jan@informatik.tu-chemnitz.de>, nathan <nathan@webr3.org>
Message-Id: <FB76C066-E75D-4F8C-AC8A-0FC21E2F173B@bblfish.net>

Thanks Joe, that's really useful. I am working on a little service to test 
certificates for what we could call internet heritage conformance. It can look
at certs in detail and check for odd things that might make for a less good 
experience on the internet as it is now.

Of course any service hosting such a service will need to 
set the flag in apache in x509_vfy.h:371 to #define
X509_V_FLAG_IGNORE_CRITICAL 0x10 as you point out :-)



On 14 Apr 2011, at 01:50, Joe Presbrey wrote:

> Here's the current list of (X509/critical) supported extensions:
> 
>                NID_netscape_cert_type, /* 71 */
>                NID_key_usage,          /* 83 */
>                NID_subject_alt_name,   /* 85 */
>                NID_basic_constraints,  /* 87 */
>                NID_certificate_policies, /* 89 */
>                NID_ext_key_usage,      /* 126 */
> #ifndef OPENSSL_NO_RFC3779
>                NID_sbgp_ipAddrBlock,   /* 290 */
>                NID_sbgp_autonomousSysNum, /* 291 */
> #endif
>                NID_policy_constraints, /* 401 */
>                NID_proxyCertInfo,      /* 663 */
>                NID_name_constraints,   /* 666 */
>                NID_policy_mappings,    /* 747 */
>                NID_inhibit_any_policy  /* 748 */
> 
> SAN is on there so it can be set critical if you like. Hans X509 also
> has 'Subject Key Identifier' critical which is not on this list -- any
> product using OpenSSL will then fail a cert with it set critical.
> 
> [1] http://www.google.com/codesearch/p?hl=en#nkmdi-dZTKs/trunk/third_party/openssl-1.0.0d/crypto/x509v3/v3_purp.c&q=1.0.0%20crypto/x509v3/v3_purp.c&l=278
> 
> --
> Joe Presbrey
> 
> On Wed, Apr 13, 2011 at 7:35 PM, Joe Presbrey <presbrey@gmail.com> wrote:
>> Hans X509 extensions should not be marked critical (should be marked
>> 'not critical'). See my extensions listing below for the distinction:
>> 
>>        X509v3 extensions:
>>            X509v3 Subject Alternative Name:
>>                URI:http://presbrey.mit.edu/foaf#presbrey
>>            X509v3 Subject Key Identifier:
>>                CD:16:4C:A8:DC:78:5C:45:33:1B:7C:71:46:0F:70:FF:0D:1E:FE:D5
>>            X509v3 Basic Constraints:
>>                CA:FALSE
>> 
>> On Wed, Apr 13, 2011 at 5:47 PM, Henry Story <henry.story@bblfish.net> wrote:
>>>        X509v3 extensions:
>>>            Netscape Cert Type: critical
>>>                SSL Client, S/MIME, Object Signing
>>>            X509v3 Subject Alternative Name: critical
>>>                email:ba.obma@vodafone.de, URI:http://foaf.me/Hans#me
>>>            X509v3 Subject Key Identifier: critical
>>>                58:92:81:B9:80:08:6F:6F:C9:65:D7:2E:70:D5:D8:D8:DC:28:3F:47
>>>            X509v3 Extended Key Usage: critical
>>>                TLS Web Client Authentication, Code Signing, E-mail Protection
>>>            X509v3 Key Usage: critical
>>>                Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
>>>            X509v3 Basic Constraints: critical
>>>                CA:FALSE
>> 

Social Web Architect
http://bblfish.net/

Received on Thursday, 14 April 2011 06:19:27 UTC