Re: self-signed from Joe Presbrey on 2011-04-13 (public-xg-webid@w3.org from April 2011)

From: Joe Presbrey <presbrey@gmail.com>
Date: Wed, 13 Apr 2011 19:50:19 -0400
To: Henry Story <henry.story@bblfish.net>
Cc: WebID XG <public-xg-webid@w3.org>, Joerg Anders <jan@informatik.tu-chemnitz.de>, nathan <nathan@webr3.org>
Message-ID: <BANLkTinQ9r4DwWePEkA+jwnzVQN+h8ewow@mail.gmail.com>

Here's the current list of (X509/critical) supported extensions:

                NID_netscape_cert_type, /* 71 */
                NID_key_usage,          /* 83 */
                NID_subject_alt_name,   /* 85 */
                NID_basic_constraints,  /* 87 */
                NID_certificate_policies, /* 89 */
                NID_ext_key_usage,      /* 126 */
#ifndef OPENSSL_NO_RFC3779
                NID_sbgp_ipAddrBlock,   /* 290 */
                NID_sbgp_autonomousSysNum, /* 291 */
#endif
                NID_policy_constraints, /* 401 */
                NID_proxyCertInfo,      /* 663 */
                NID_name_constraints,   /* 666 */
                NID_policy_mappings,    /* 747 */
                NID_inhibit_any_policy  /* 748 */

SAN is on there so it can be set critical if you like. Hans X509 also
has 'Subject Key Identifier' critical which is not on this list -- any
product using OpenSSL will then fail a cert with it set critical.

[1] http://www.google.com/codesearch/p?hl=en#nkmdi-dZTKs/trunk/third_party/openssl-1.0.0d/crypto/x509v3/v3_purp.c&q=1.0.0%20crypto/x509v3/v3_purp.c&l=278

--
Joe Presbrey

On Wed, Apr 13, 2011 at 7:35 PM, Joe Presbrey <presbrey@gmail.com> wrote:
> Hans X509 extensions should not be marked critical (should be marked
> 'not critical'). See my extensions listing below for the distinction:
>
>        X509v3 extensions:
>            X509v3 Subject Alternative Name:
>                URI:http://presbrey.mit.edu/foaf#presbrey
>            X509v3 Subject Key Identifier:
>                CD:16:4C:A8:DC:78:5C:45:33:1B:7C:71:46:0F:70:FF:0D:1E:FE:D5
>            X509v3 Basic Constraints:
>                CA:FALSE
>
> On Wed, Apr 13, 2011 at 5:47 PM, Henry Story <henry.story@bblfish.net> wrote:
>>        X509v3 extensions:
>>            Netscape Cert Type: critical
>>                SSL Client, S/MIME, Object Signing
>>            X509v3 Subject Alternative Name: critical
>>                email:ba.obma@vodafone.de, URI:http://foaf.me/Hans#me
>>            X509v3 Subject Key Identifier: critical
>>                58:92:81:B9:80:08:6F:6F:C9:65:D7:2E:70:D5:D8:D8:DC:28:3F:47
>>            X509v3 Extended Key Usage: critical
>>                TLS Web Client Authentication, Code Signing, E-mail Protection
>>            X509v3 Key Usage: critical
>>                Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
>>            X509v3 Basic Constraints: critical
>>                CA:FALSE
>

Received on Friday, 15 April 2011 10:13:33 UTC