On Fri, Aug 22, 2003, Charles B Cranston wrote: > Dr. Stephen Henson wrote: > > >>These are some of the ones we found: > >>Netscape 4 will not tolerate an ExtendedKeyUsage extension. > > >Hmmm. What makes you think that? EKU is *required* to handle "step up" (aka > >SGC, magic, 128 bit [yuck]) and Netscape 4 handled that. > > Hello Steve! > > Based on a dialog that came up that said > "unknown critical extension" when I had a critical EKU extension > and that dialog not coming up when I made it a noncritical > extension or left it out entirely. I don't think this had > anything to do with stepup, but correct me if I'm missing > something. >
Well not setting it to critical might have worked unless you specifically wanted any client that didn't recognize the extension to reject it. Setting anything to critical may cause problems for older clients because at least one version of IE rejects anything that's critical even if it does recognize it. > > >It shouldn't be necessary to alter the default extensions for a simple SSL > >server certificate. > > Yes, I believe this to be the case, but note that software rot > might affect this. We have some Java client code that REQUIRES > a BasicConstraints extension, for example, and while I believe > the distributed cnf does put one in, in slight violation of > PKIX/RFC3380 (and this is well and truly disclosed and documented > in the commentary!) it may someday come to pass that some client > requires something above and beyond. > IIRC RFC2459 frowned upon basicConstraints (but didn't forbid it) in end user certificates whereas RFC3280 now specifically allows it. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
