The question of Critical Name Extension PKI support for OS X and iOS has come up yet again recently. It has been a continuous issue with use of some FPKI certificates [and other PKI] on Apple products for quite some time [10.5, 10.6 and 10.7]. Bug reports are just filed as duplicates and no progress towards a resolution has ever been reported to my knowledge. I do not have confirmation this is due to FIPS validation or otherwise, yet either way I still have the question:
Should the Federal PKI and relying parties plan accordingly for the foreseeable future for this to continue to be the case with native Apple PKI support [Critical Name Extension unknown]? The critical extension is still being used on active FPKI certificates.
Ridley DiSiena CISSP
On Jan 4, 2011, at 8:31 AM, Miller, Timothy J. wrote:
FWIW, the static linking to 'old' OpenSSL is (very likely) required to maintain FIPS 140 claims even when the system owner replaces the libs.
-- Tim
From: fed-talk-bounces+tmiller=email@hidden [fed-talk-bounces+tmiller=email@hidden] On Behalf Of Disiena, Ridley J. (GRC-VO00)[DB Consulting Group, Inc.] [email@hidden]
Sent: Monday, January 03, 2011 2:34 PM
To: email@hidden Talk
Subject: [Fed-Talk] PKI Certificate “Name Constraints” extension treated as an unknown critical extension
Issue: OS X 10.5.x & 10.6.x treats the “Name Constraints” extension as an unknown critical extension and therefore treats the certificate as invalid due to "unrecognized critical extension".
I know there are previous threads on this subject for current live certificates of particular agencies and DoD and we know that this issue is because OS X does not recognize the extension yet. I'm bringing this back up on the list because due this issue is likely to plague Federal OS X users and their customers for the foreseeable future until resolved by Apple since several proposed new Federal Bridge Certificates will likely have such a critical extension. This is news to me since the last posting on the subject, I had hoped newly issues certificates would not be effected but at this time that appears that will not be the case.
Complications: Since the effected Federal Bridge cross certificates will be found in the PKCS#7 bundles found via validation of AIA locations of Federal Agency certificates, applications that use OS X’s certificate security functionality including the OS X operating system itself, will treat certificates that are valid, falsely as invalid due to very outdated libraries. As mentioned in a previous post, the openSSL library has been updated to recognize and use the Critical Name Extension as of 0.9.8 released 5 years ago, and the PKI definition of the “Name Constraints” extension is now 12 years old. If this is the case, this is not an issue with the certificates, it is a case of severely out dated PKI libraries in OS X.
I have put in a bug report [which will likely get sent back as duplicate and closed] and am following up with Enterprise Support but since this issue has been occurring for 2 OS versions already with no response from Apple on related posts, I wanted to make the other Federal folks involved with PKI aware, that at this time, it appears we will be effected for the foreseeable future, until Apple addresses the issue. FPKI is being made aware of the issue but in looking at how long ago these extensions were defined in best practices documentation, it looks like the issue is on the Apple side, with OS X failing to recognize / utilize recent libraries, and not so recent standards.
Related Fed-Talk Posts:
Related name constraints noted on Fed-Talk April 2010
PKI Certificates - Unknown Critical Extensions causing problems...
http://lists.apple.com/archives/fed-talk/2010/Apr/msg00005.html
http://lists.apple.com/archives/fed-talk/2010/Apr/msg00006.html
“Also, it looks like the *key* security binaries and/or Frameworks are *STATICALLY* linked to the 'old' OpenSSL libraries”
Related name constraints noted on Fed-Talk December 2010
http://lists.apple.com/archives/fed-talk/2010/Apr/msg00008.html
http://lists.apple.com/archives/fed-talk/2010/Nov/msg00177.html
Related policy constraints noted on Fed-Talk October 2009
http://lists.apple.com/archives/apple-cdsa/2009/Oct/msg00002.html
Backup Information:
OpenSSL 0.9.8 released Tue, 05 Jul 2005 [ Over 5 years ago ]
http://www.mail-archive.com/email@hidden/msg00063.html
--->
* Added support for certificate policy mappings, policy
constraints and name constraints.
<---
IETF Document Definition of “Name Constraints” extension: January 1999 [12 Years ago]
http://www.ietf.org/rfc/rfc2459.txt
Housley, et. al. Standards Track [Page 34]
RFC 2459 Internet X.509 Public Key Infrastructure January 1999
--->
4.2.1.11 Name Constraints