Strength in Complexity?
Paul Hoffman
paul.hoffman at vpnc.org
Sat Jul 5 13:42:13 EDT 2008
At 12:48 AM +1200 7/6/08, Peter Gutmann wrote:
>Florian Weimer <fw at deneb.enyo.de> writes:
>>* Peter Gutmann:
>>> [1] Show of hands, how many people here not directly involved
>>>with X.509 work
>>> knew that the spec required that all extensions in CA root certificates
>>> ("trust anchors" in recent X.509 jargon) be ignored by an
>>>implementation?
>>> So if you put in name constraints, key usage constraints, a policy
>>> identifier, etc, then a conforming implementation is supposed
>>>to look at
>>> them, throw them away, and proceed as if they weren't there?
>>
>>Are you sure that the constraints are not supposed to be applied when
>>the root certificate is actually processed, after its signature has been
>>verified by the trust anchor?
>
>Yup. The app is supposed to read the cert, parse and process the extensions,
>and then throw them away.
Peter: please turn down the hyperbole a bit. You forgot the word
"may" between "and" and "then".
>The text from the spec is:
>
> 3.3.60 trust anchor: A trust anchor is a set of the following information in
> addition to the public key: algorithm identifier, public key parameters (if
> applicable), distinguished name of the holder of the associated private key
> (i.e., the subject CA) and optionally a validity period. The trust anchor
> may be provided in the form of a self-signed certificate. A trust anchor is
> trusted by a certificate using system and used for validating certificates
> in certification paths.
>
>Rendered into English, that says "take the pubic key, owner name, and
>validity period, and ignore everything else in the cert".
Wrong. There is no requirement to "ignore everything else in the
cert". There is simply no requirement to use that material.
>To pre-empt the inevitable "yes, but it doesn't explicitly say you can't
>process the extensions if you want to": It also doesn't say you can't reformat
>the user's hard drive when you see a cert, but the intent is that you don't do
>anything not explicitly listed in the text above.
No offense, but if I wanted to know the intent of a group of people
who make hard-to-read-and-harder-to-impelemnt crypto standards, I
would not ask you. You don't know their intent, Peter: you only know
the output of the sausage-making process.
If I haven't made it clear: I agree with Peter that the spec should
have clearly stated what one was supposed to do with the extensions.
Where I think we disagree is that I would rather that the spec said
explicitly to throw them away. I would rather have the semantics of
"this is what I say my name is and this is what I say my public key
is" quite separate from "this is what I think you should trust me to
authenticate". This adds complexity (it takes two certs), but it also
reduces complexity (it doesn't mandate binding policy to
identification).
>Luckily no sane implementation pays any attention to this nonsense :-).
We might agree here because I don't think there are many sane
implementations of X.509.
--Paul Hoffman, Director
--VPN Consortium
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list