On 28/11/13 15:14, Erwann Abalea wrote:
How nice, they're asking for a self-signed certificate to include a
specific EKU to indicate it's a Trust Anchor, and the OID used for this
has never been allocated. Crazy.
It's crazier than that. RFC5906 seems to think it can put a string into
the EKU extension rather than OID(s)! Appendix J says...
"Extended Key Usage. This field...contains the string "Private" if
the certificate is designated private or the string "trustRoot" if
it is designated trusted..."
I just looked at OpenSSL's objects.txt database, and found some OIDs
that need some change:
id-pkix-OCSP 8 : extendedStatus : Extended OCSP Status
should be "id-pkix-ocsp-pref-sig-algs" (RFC6960).
id-pkix-OCSP 9 : valid
should be id-pkix-ocsp-extended-revoke (RFC6960).
id-pkix-OCSP 10 : path
id-pkix-OCSP 11 : trustRoot : Trust Root
have never been defined by PKIX.
RFC5906 uses a "trustRoot" EKU, without any OID being proposed or
referenced. Your certificate includes the later one in the EKU extension.
--
Erwann ABALEA
Le 28/11/2013 14:26, Dereck Hurtubise a écrit :
It is NTP indicating that this certificate is held by a supposed
trusted root (authority).
This is NTP's way of figuring out if the certificate of the
subject/issuer should be trusted or not.
So they misuse X509 extensions for their own purposes.
This alone is not enough.
So they also implement a challenge/response scheme that they do after
the certificates are verified.
Read RFC 5906 (autokey) on the CERT message/exchange for more
information and why they do this.
The Trust Root is used in the identity exchange scheme after the CERT
exchange. Also in the RFC.
On Thu, Nov 28, 2013 at 2:07 PM, Walter H. <walte...@mathemainzel.info
<mailto:walte...@mathemainzel.info>> wrote:
Hi,
On Wed, November 27, 2013 16:02, Dereck Hurtubise wrote:
> X509v3 Extended Key Usage:
> Trust Root
what is this strange?
'Trust Root' as "Extended Key Usage"?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
<mailto:openssl-users@openssl.org>
Automated List Manager majord...@openssl.org
<mailto:majord...@openssl.org>
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
