[Cryptography] PRISM-Proofing and PRISM-Hardening

Phillip Hallam-Baker hallam at gmail.com
Wed Sep 18 20:36:46 EDT 2013

On Wed, Sep 18, 2013 at 5:50 PM, Viktor Dukhovni
<cryptography at dukhovni.org>wrote:

> On Wed, Sep 18, 2013 at 08:47:17PM +0000, Viktor Dukhovni wrote:
> > On Wed, Sep 18, 2013 at 08:04:04PM +0100, Ben Laurie wrote:
> >
> > > > This is only realistic with DANE TLSA (certificate usage 2 or 3),
> > > > and thus will start to be realistic for SMTP next year (provided
> > > > DNSSEC gets off the ground) with the release of Postfix 2.11, and
> > > > with luck also a DANE-capable Exim release.
> > >
> > > What's wrong with name-constrained intermediates?
> >
> > X.509 name constraints (critical extensions in general) typically
> > don't work.
> And public CAs don't generally sell intermediate CAs with name
> constraints.  Rather undercuts their business model.
This is no longer the case. Best Practice is now considered to be to use
name constraints but not mark them critical.

This is explicitly a violation of PKIX which insists that a name constraint
extension be marked critical. Which makes it impossible to use name
constraints as they will break in Safari and a few other browsers.

The refusal to make the obvious change is either because people do not
understand the meaning of the critical bit or the result of some of that
$250 million being felt in the PKIX group. As I pointed out at RSA, the use
of name constraints might well have prevented the FLAME attack working.

Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130918/1a675234/attachment.html>

More information about the cryptography mailing list