[Fed-Talk] RE: PKI Certificates - Unknown Critical Extensions causing problems...
[Fed-Talk] RE: PKI Certificates - Unknown Critical Extensions causing problems...
- Subject: [Fed-Talk] RE: PKI Certificates - Unknown Critical Extensions causing problems...
- From: "Miller, Timothy J." <email@hidden>
- Date: Mon, 5 Apr 2010 16:23:01 -0400
- Acceptlanguage: en-US
- Thread-topic: PKI Certificates - Unknown Critical Extensions causing problems...
Windows attempts to build a certificate chain across a bridge if chaining to an existing trust anchor fails for some reason. This includes fetching the needed certs (following AKI and/or AIA pointers) and prompting the user re: installing a new trust anchor (if allowed; there's a KB somewhere for Vista showing how to turn this off). It could be MS has ported this behavior to Entourage.
However, this shouldn't happen if the DoD Root 2 CA is installed and trusted, because the chain to that trust anchor should supersede any bridged trust path Entourage would construct. Unfortunately MS's reliance on the obsolete X509Anchors files and failure to use CDSA properly for security calls (like certificate validation) makes managing PKI trust with Entourage an utter PITA.
-- Tim
>-----Original Message-----
>From: Mark Radleigh (CTR) [mailto:email@hidden]
>Sent: Monday, April 05, 2010 2:10 PM
>To: Miller, Timothy J.; Apple FED-TALK
>Subject: Re: PKI Certificates - Unknown Critical Extensions causing
>problems...
>
>Hey Tim,
>
>That would be a whole bunch of misconfigured mail clients (which I
>suspect
>is Microsoft Outlook). Perhaps it's more of a Microsoft 'feature'? :)
>
>Mark
>
>
>> From: "Miller, Timothy J." <email@hidden>
>> Date: Sun, 4 Apr 2010 17:34:24 -0400
>> To: Mark Radleigh <email@hidden>, Apple FED-TALK
>> <email@hidden>
>> Subject: RE: PKI Certificates - Unknown Critical Extensions causing
>> problems...
>>
>> It's chaining across the Federal Bridge, which shouldn't be happening
>except
>> in special cases (e.g., if you didn't already trust Root 2). The
>client could
>> be sending you the cross-cert chain, which might simply be a
>misconfiguration.
>>
>> -- Tim
>>
>>
>[text deleted]
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Fed-talk mailing list (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>> This email sent to email@hidden
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden