How nice, they're asking for a self-signed certificate to include a
specific EKU to indicate it's a Trust Anchor, and the OID used for this
has never been allocated. Crazy.
I just looked at OpenSSL's objects.txt database, and found some OIDs
that need some change:
id-pkix-OCSP 8 : extendedStatus : Extended OCSP Status
should be "id-pkix-ocsp-pref-sig-algs" (RFC6960).
id-pkix-OCSP 9 : valid
should be id-pkix-ocsp-extended-revoke (RFC6960).
id-pkix-OCSP 10 : path
id-pkix-OCSP 11 : trustRoot : Trust Root
have never been defined by PKIX.
RFC5906 uses a "trustRoot" EKU, without any OID being proposed or
referenced. Your certificate includes the later one in the EKU extension.
--
Erwann ABALEA
Le 28/11/2013 14:26, Dereck Hurtubise a écrit :
It is NTP indicating that this certificate is held by a supposed
trusted root (authority).
This is NTP's way of figuring out if the certificate of the
subject/issuer should be trusted or not.
So they misuse X509 extensions for their own purposes.
This alone is not enough.
So they also implement a challenge/response scheme that they do after
the certificates are verified.
Read RFC 5906 (autokey) on the CERT message/exchange for more
information and why they do this.
The Trust Root is used in the identity exchange scheme after the CERT
exchange. Also in the RFC.
On Thu, Nov 28, 2013 at 2:07 PM, Walter H. <walte...@mathemainzel.info
<mailto:walte...@mathemainzel.info>> wrote:
Hi,
On Wed, November 27, 2013 16:02, Dereck Hurtubise wrote:
> X509v3 Extended Key Usage:
> Trust Root
what is this strange?
'Trust Root' as "Extended Key Usage"?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
<mailto:openssl-users@openssl.org>
Automated List Manager majord...@openssl.org
<mailto:majord...@openssl.org>
