Re: [Fed-Talk] PKI Certificate "Name Constraints" extension treated as an unknown critical extension
Re: [Fed-Talk] PKI Certificate "Name Constraints" extension treated as an unknown critical extension
- Subject: Re: [Fed-Talk] PKI Certificate "Name Constraints" extension treated as an unknown critical extension
- From: "Miller, Timothy J." <email@hidden>
- Date: Thu, 31 May 2012 14:00:52 +0000
- Thread-topic: [Fed-Talk] PKI Certificate "Name Constraints" extension treated as an unknown critical extension
On 5/30/12 2:55 PM, "Disiena, Ridley J. (GRC-VO00)[DB Consulting Group,
Inc.]" <email@hidden> wrote:
>The question of Critical Name Extension PKI support for OS X and iOS has
>come up yet again recently. It has been a continuous issue with use of
>some FPKI certificates [and other PKI] on Apple products for quite some
>time [10.5, 10.6 and
> 10.7]. Bug reports are just filed as duplicates and no progress towards
>a resolution has ever been reported to my knowledge. I do not have
>confirmation this is due to FIPS validation or otherwise, yet either way
>I still have the question:
X.509 path processing is not a FIPS issue.
>
>Should the Federal PKI and relying parties plan accordingly for the
>foreseeable future for this to continue to be the case with native Apple
>PKI support [Critical Name Extension unknown]? The critical extension is
>still being used on active FPKI certificates.
Apple is non-conformant with the PKIX X.509 profile because conforming
implementations MUST be able to process Name Constraints. (RFC 5280 Sec
4.2.1.10, "Applications conforming to this profile MUST be able to process
name constraints that are imposed on the directoryName name form and
SHOULD be able to process name constraints that are imposed on the
rfc822Name, uniformResourceIdentifier, dNSName, and iPAddress name
forms.").
In short: It's Apple's bug. Name Constraints are asserted in Federal
Bridge CA cross-certificates for important security reasons; they prohibit
partners from creating intentional or accidental name collisions that
reduce the identity assurance of the FPKI. The FPKI PMA will not relax
cross-certificate profile requirements in order to accommodate
implementation flaws. Should such a change request surface to the FPKI
PMA, I would counsel the DoD voting representative to reject it.
The workaround is for the relying party to import the relevant trust
anchor and not to use bridged trust paths. This adds risk of name
collisions, and there remain other bugs where OS X will fail to construct
and accept the shortest valid path (e.g., validating S/MIME signatures
when the client sends the complete path) that will still cause issues.
However, it's the best you can do.
-- T
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden