[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IETF-PKIX] PKIX Part 1: more clarity needed on AltNames

To: IETF-PKIX@xxxxxxxxxxxxxxxx
Subject: Re: [IETF-PKIX] PKIX Part 1: more clarity needed on AltNames
From: Bob Jueneman <BJUENEMAN@xxxxxxxxxx>
Date: Wed, 31 Dec 1997 11:45:18 -0700
Comments: To: wford@VERISIGN.COM
Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>

Thank you, Warwick, for underscoring this vitally important point.  It is
the SEMANTICS of the critical extension that are relevant vis a vis the
application's "understanding", not the syntax. If the application does not
understand AND CONFORM TO the semantics of the extension, it must not
validate the certificate  — at least if it does, it is at the replying
party's risk.

Bob

Robert R. Jueneman
Security Architect
Novell, Inc.,
Network Services Division
122 East 1700 South
Provo, UT 84604
801/861-7387
bjueneman@novell.com

>>> Warwick Ford <wford@VERISIGN.COM> 12/31/97 09:37:51 >>>
Dave:

At 09:30 AM 12/31/97 -0500, David P. Kemp wrote:
>It's worth remembering that the criticality flag does *not* affect the
>meaning of an extension; the flag's sole purpose is to cause
>applications which do not understand the extension to reject the
>certificate.  If an application does understand an extension, it makes
>absolutely no difference whether the extension is marked critical or
>not - the critical flag should not even be examined.  The recent
>discussion of certificatePolicies stirred up some mud in this area -
>it's probably a good idea to specify the purpose *and the non-purpose*
>of the critical flag more explicitly in section 4.2.  Something like:
>
>  "If an implementation recognizes the syntax of a particular extension,
>   the value of the critical boolean in that extension SHALL be ignored."

This would be going too far.  A critical extension conveys semantics that a
conforming implementation must implement, otherwise not use the
certificate.  With a non-critical extension, there is no requirement to
implement particular semantics -- the extension may be ignored, regardless
of whether or not the implmentation recognizes the syntax.

Warwick

---------------------------------------------------------------------
Warwick Ford, VeriSign, Inc., One Alewife Center, Cambridge, MA 02140
   wford@verisign.com; Tel: (617)492 2816 x225; Fax: (617)661 0716
---------------------------------------------------------------------

Prev by Date: Re: [IETF-PKIX] PKIX Part 1: more clarity needed on AltNames
Next by Date: Re: [IETF-PKIX] Dave's Critical Proposal
Previous by thread: Re: [IETF-PKIX] PKIX Part 1: more clarity needed on AltNames
Next by thread: [IETF-PKIX] Dave's Critical Proposal
Index(es):
- Date
- Thread