On Fri, Aug 22, 2003, Charles B Cranston wrote: > Continuation of a dialog between Dr. Stephen Henson > and Charles B Cranston: > > B: These are some of the ones we found: > B: Netscape 4 will not tolerate an ExtendedKeyUsage extension. > > S: Hmmm. What makes you think that? EKU is *required* to handle "step up" > S: (aka SGC, magic, 128 bit [yuck]) and Netscape 4 handled that. > > B: Based on a dialog that came up that said > B: "unknown critical extension" when I had a critical EKU extension > B: and that dialog not coming up when I made it a noncritical > B: extension or left it out entirely. I don't think this had > B: anything to do with stepup, but correct me if I'm missing > B: something >
I've never seen that dialog on Netscape, though I've seen IE produce it. What I'm saying is that stepup uses EKU (among other things) to identify its certificates Netscape 4.[something] did support stepup so presumably it at least partially parsed EKU. What version rejected critical EKU? > S: Well not setting it to critical might have worked unless you specifically > S: wanted any client that didn't recognize the extension to reject it. > S: Setting anything to critical may cause problems for older clients > because at > S: least one version of IE rejects anything that's critical even if it does > S: recognize it. > > B: Gee, Steve, I'm sorry, I didn't completely read (or comprehend > B: at least) your earlier remark. You are saying that NS calls it an > B: unknown critical extension even though it knows about it in the > B: context of stepup??? That's just broken. The standard clearly > B: states that if you don't know about an extension and it's critical > B: you fail. If it knows about it how can it be unknown? Yeah left > B: hand doesn't know what right hand is doing I guess. Thanks for the > B: additional data point. Guess we didn't test it as completely as we > B: thought we did. And if IE rejects anything that is critical even > B: if it does recognize it (absent the critical bit) then IMHO it is > B: broken too. Grump. > > Well its only an older version of IE that does that, the current stuff doesn't though it has its own weirdness. This will get much more fun when if and when things like nameConstraints become more common. The latest IE already displays that but does something strange and the standards are ambiguous too... Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
