[Cryptography] PRISM-Proofing and PRISM-Hardening

Phillip Hallam-Baker hallam at gmail.com
Thu Sep 19 18:09:25 EDT 2013

On Thu, Sep 19, 2013 at 4:15 PM, Ben Laurie <ben at links.org> wrote:

> On 18 September 2013 21:47, Viktor Dukhovni <cryptography at dukhovni.org>wrote:
>> On Wed, Sep 18, 2013 at 08:04:04PM +0100, Ben Laurie wrote:
>> > > This is only realistic with DANE TLSA (certificate usage 2 or 3),
>> > > and thus will start to be realistic for SMTP next year (provided
>> > > DNSSEC gets off the ground) with the release of Postfix 2.11, and
>> > > with luck also a DANE-capable Exim release.
>> >
>> > What's wrong with name-constrained intermediates?
>> X.509 name constraints (critical extensions in general) typically
>> don't work.
> No. They typically work. As usual, Apple are the fly in the ointment.

The key to make them work is to NOT follow the IETF standard and to NOT
mark the extension critical.

If the extension is marked critical as RFC 5280 demands then the
certificates will break in Safari (and very old versions of some other top
tier browsers).

If the extension is not marked critical as CABForum and Mozilla recommend
then nothing breaks and the certificate chain will be correctly processed
by every current edition of every top tier browser apart from Safari.

The peculiar insistence that the extension be marked critical despite the
obvious fact that it breaks stuff is one of the areas where I suspect NSA

Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130919/a3f5342b/attachment.html>

More information about the cryptography mailing list