shibboleth-dev - Re: "Unfortunate" Thawte discovery
Subject: Shibboleth Developers
List archive
- From: "RL 'Bob' Morgan" <>
- To: Scott Cantor <>
- Cc:
- Subject: Re: "Unfortunate" Thawte discovery
- Date: Fri, 26 Jul 2002 08:47:10 -0700 (PDT)
On Fri, 26 Jul 2002, Scott Cantor wrote:
> Turns out the server certs Thawte issues have the EnhancedKeyUsage field
> set to Server Authentication, which mod_ssl rejects for client
> authentication, preventing a site from sharing that SSL cert between
> mod_ssl on their site and the SHAR/mod_shib.
>
> I wonder if that behavior is configurable in mod_ssl. Changing that code
> would obviously not be attractive for numerous reasons.
You mean "Extended Key Usage", section 4.2.1.13 of RFC 3280.
Hmmf. It looks like the interpretation of this field changed between RFC
2459 and the new RFC 3280. 2459 says:
This extension may, at the option of the certificate issuer, be
either critical or non-critical.
If the extension is flagged critical, then the certificate MUST be
used only for one of the purposes indicated.
If the extension is flagged non-critical, then it indicates the
intended purpose or purposes of the key, and may be used in finding
the correct key/certificate of an entity that has multiple
keys/certificates. It is an advisory field and does not imply that
usage of the key is restricted by the certification authority to the
purpose indicated.
but 3280 says:
This extension MAY, at the option of the certificate issuer, be
either critical or non-critical.
If the extension is present, then the certificate MUST only be used
for one of the purposes indicated.
This is really appallingly underspecified. The name of the OID is
"id-kp-serverAuth", but the comment says
-- TLS WWW server authentication
so does that mean that use of such a cert for TLS with, say, an IMAP
server should be rejected? Sigh. PKI community once again reveals its
total disconnection from reality.
So, bottom line is: compliant implementations have to reject use of these
certs as client certs, so we can't expect to use them this way. Will the
public CA oligopoly even sell client certs for non-human principals?
Fine, this means we'll cut the cord to these losing bozos and issue our
own. Feh.
- RL "Bob"
------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at
http://archives.internet2.edu/
------------------------------------------------------mace-shib-design--
- "Unfortunate" Thawte discovery, Scott Cantor, 07/26/2002
- User Interface update, Barbara Jensen, 07/26/2002
- Re: User Interface update, Steven_Carmody, 07/29/2002
- Re: "Unfortunate" Thawte discovery, RL 'Bob' Morgan, 07/26/2002
- Re: "Unfortunate" Thawte discovery, David L. Wasley, 07/26/2002
- RE: "Unfortunate" Thawte discovery, Scott Cantor, 07/26/2002
- RE: "Unfortunate" Thawte discovery, RL 'Bob' Morgan, 07/26/2002
- RE: "Unfortunate" Thawte discovery, David L. Wasley, 07/26/2002
- RE: "Unfortunate" Thawte discovery, RL 'Bob' Morgan, 07/26/2002
- RE: "Unfortunate" Thawte discovery, David L. Wasley, 07/26/2002
- RE: "Unfortunate" Thawte discovery, RL 'Bob' Morgan, 07/26/2002
- Re: "Unfortunate" Thawte discovery, RL 'Bob' Morgan, 07/26/2002
- RE: "Unfortunate" Thawte discovery, Scott Cantor, 07/26/2002
- Re: "Unfortunate" Thawte discovery, David L. Wasley, 07/26/2002
- Re: "Unfortunate" Thawte discovery, RL 'Bob' Morgan, 07/26/2002
- RE: "Unfortunate" Thawte discovery, Scott Cantor, 07/26/2002
- RE: "Unfortunate" Thawte discovery, RL 'Bob' Morgan, 07/26/2002
- RE: "Unfortunate" Thawte discovery, Scott Cantor, 07/26/2002
- User Interface update, Barbara Jensen, 07/26/2002
Archive powered by MHonArc 2.6.16.