Re: [Fed-Talk] PKI Certificate "Name Constraints" extension treated as an unknown critical extension
Re: [Fed-Talk] PKI Certificate "Name Constraints" extension treated as an unknown critical extension
- Subject: Re: [Fed-Talk] PKI Certificate "Name Constraints" extension treated as an unknown critical extension
- From: "Disiena, Ridley J. (GRC-VO00)[DB Consulting Group, Inc.]" <email@hidden>
- Date: Thu, 31 May 2012 09:19:58 -0500
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] PKI Certificate "Name Constraints" extension treated as an unknown critical extension
Thanks Tim. I agree completely. I was implying that Federal and relying parties of FPKI certificates using Apple native PKI will likely be faced with this problem for the foreseeable future, and plan accordingly for guidance on usage of Apple products and FPKI certificates... rather than changing FPKI or waiting for Apple to conform to the standard.
I will note that the issue impacts well beyond FPKI relying parties as I have found out recently, but I was keeping context for this Federal list.
-Ridley
-----Original Message-----
From: Miller, Timothy J. [mailto:email@hidden]
Sent: Thursday, May 31, 2012 10:01 AM
To: Disiena, Ridley J. (GRC-VO00)[DB Consulting Group, Inc.]; email@hidden
Subject: Re: [Fed-Talk] PKI Certificate "Name Constraints" extension treated as an unknown critical extension
On 5/30/12 2:55 PM, "Disiena, Ridley J. (GRC-VO00)[DB Consulting Group, Inc.]" <email@hidden> wrote:
>Should the Federal PKI and relying parties plan accordingly for the
>foreseeable future for this to continue to be the case with native
>Apple PKI support [Critical Name Extension unknown]? The critical
>extension is still being used on active FPKI certificates.
Apple is non-conformant with the PKIX X.509 profile because conforming implementations MUST be able to process Name Constraints. (RFC 5280 Sec 4.2.1.10, "Applications conforming to this profile MUST be able to process name constraints that are imposed on the directoryName name form and SHOULD be able to process name constraints that are imposed on the rfc822Name, uniformResourceIdentifier, dNSName, and iPAddress name forms.").
In short: It's Apple's bug. Name Constraints are asserted in Federal Bridge CA cross-certificates for important security reasons; they prohibit partners from creating intentional or accidental name collisions that reduce the identity assurance of the FPKI. The FPKI PMA will not relax cross-certificate profile requirements in order to accommodate implementation flaws. Should such a change request surface to the FPKI PMA, I would counsel the DoD voting representative to reject it.
The workaround is for the relying party to import the relevant trust anchor and not to use bridged trust paths. This adds risk of name collisions, and there remain other bugs where OS X will fail to construct and accept the shortest valid path (e.g., validating S/MIME signatures when the client sends the complete path) that will still cause issues.
However, it's the best you can do.
-- T
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden