On Fri, Aug 22, 2003, Charles B Cranston wrote:
> >>Based on a dialog that said "unknown critical extension"
>
> >I've never seen that dialog on Netscape, though I've seen IE produce it.
> >What I'm saying is that stepup uses EKU (among other things) to identify
> >its
> >certificates Netscape 4.[something] did support stepup so presumably it at
> >least partially parsed EKU. What version rejected critical EKU?
>
> Well, I'm wondering if I remember this wrong. It was definitely IE
> that required the dates to nest, but it MIGHT have been IE that said
> this dialog as well. I remember my initial development setup was
> Netscape 4.72 on a Macintosh and an Apache 1.x server running on my
> (Debian) Linux machine, and I did discover this problem fairly late
> in the process, so it COULD be that I discovered it while testing
> with IE (I believe it was 5).
>
Yes its IE with that validity nesting thing. I've had a note about that in my
PKCS#12 FAQ almost from the start.
I'm not saying Netscape didn't have a "unrecognized critical extension dialog"
its just that I've never seen it.
>
> >Setting anything to critical may cause problems for older clients
> >because at least one version of IE rejects anything that's critical
> > even if it does recognize it.
>
> >>... if IE rejects anything that is critical even if it does recognize it
> >> (absent the critical bit) then IMHO it is broken too. Grump.
>
> >Well its only an older version of IE that does that, the current stuff
> > doesn't though it has its own weirdness.
>
> Now I wonder if I misread you again. You are saying
>
> "if it does recognize it"
>
> does that mean
> 1) it allows it (possibly by not knowing about it at all) or
> 2) it actually recognizes it and does something different
>
> In case 1, yes, it seems OK to reject something critical that you
> don't know about, while 2, seems to me if you do something different
> when it is present you shouldn't give a tinkers dam about the critical
> bit. That's what the definition of the critical bit IS, and IMHO
> software that recognizes the extension to the point of assigning it
> semantic meaning should NOT reject it just for being critical,
> and software that does so is broken. Grump.
>
It was a bug in some older IE versions. I'm dredging up distant memory here
but in pseudo code what it should've done is:
if (critical && !recognized)
reject();
What I *think* it did instead was:
if (critical && recognized)
reject();
This behaviour stayed for quite a while and various CAs worked around it by
not making any extensions critical.
> >This will get much more fun when if and when things like nameConstraints
> >become more common. The latest IE already displays that but does something
> >strange and the standards are ambiguous too...
>
> Well, let this be a warning to EVERYBODY OUT THERE that you need
> to consider the possibility that some of your clients may be broken
> and not doing the documented right thing (and being on a Dean's desk
> where you haven't a chance in the world of getting it thrown out :-)
> and be sure to test if you do use any of the new groovy features...
>
There's also the possibility that there is no "documented right thing" or it is
ambiguous so that two clients can do contradictory things with an extension
and both be compliant because the standard doesn't define the correct
behaviour.
Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
