Re: [openssl-users] Re: adding certificate policies extension in CSR
One hypothetical sane use for a certificate policy extension in a CSR would be if a CA issues certificates of different types and with different policies (simple example: Regular SSL certs and EV certs). Then putting the corresponding policy in the CSR indicates, protected by the proof-of-possession signature, which certificate type is being requested. By checking for (and possibly requiring) a matching certificate policy extension in the CSR, the CA can prevent the high level attack of someone changing the exterior (not signed) request documents to ask for a different certificate type than the key holder wanted. In fact all the exterior information typically provided outside the CSR when requesting a certificate from a commercial CA could/should ideally be placed in CSR extensions, but current standard tools prevent typical admins from inputting this information during CSR generation, hence the current use of minimal CSRs and web forms. On 9/9/2013 2:41 PM, Willy Weisz wrote: Am 09.09.2013 12:13, schrieb phildoch: Ok. So meanwhile, unless it will be proven that is is illegal, Looking at the IETF RFCs, none that I found explicitly or implicitly indicated a meaningful use of the certificate policies entry in a CSR. On the other hand the semantics of this entry means that it can be used to check whether the certificate issuer has a policy that allows the relying party to trust it, and thus accept the data signed using the private key associated with the certificate's public key component. The certificate is a kind of ID document for the data sent and its relation to its originator. In this sense putting a certificate policy in a CSR is like requesting the issuance of a passport based on the requester's wishes not the policy of the public authority issuing the document. Allowing a certificate policy entry in the CSR without considering it for the issuance of a certificate would be consistent with the semantics of the certification policies, but pure nonsense. let's say that for any reason the Certificate requester wants to add a certificate policies extension in the CSR. Is this syntax correct:? add_ext(exts, NID_certificate_policies, 1.3.6.1); (based on function mkreq() in file openssl/demos/x509/openssl/demos/x509/mkreq.c) Thanks Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: adding certificate policies extension in CSR
The requestor is allowed to ask for any extension it wants. The CA will do its job, ignore those requested extensions, and place the good ones in the certificate. It can also change the subject name contained in the certificate. -- Erwann ABALEA Le 09/09/2013 11:21, phildoch a écrit : Oh I see. Can you point to a documentation where it is defined which extensions a certificate requestor is allowed to add and which should be added by the CA only? Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/adding-certificate-policies-extension-in-CSR-tp46467p46469.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: adding certificate policies extension in CSR
Ok. So meanwhile, unless it will be proven that is is illegal, let's say that for any reason the Certificate requester wants to add a certificate policies extension in the CSR. Is this syntax correct:? add_ext(exts, NID_certificate_policies, 1.3.6.1); (based on function mkreq() in file openssl/demos/x509/openssl/demos/x509/mkreq.c) Thanks -- View this message in context: http://openssl.6102.n7.nabble.com/adding-certificate-policies-extension-in-CSR-tp46467p46471.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: adding certificate policies extension in CSR
Am 09.09.2013 12:13, schrieb phildoch: Ok. So meanwhile, unless it will be proven that is is illegal, Looking at the IETF RFCs, none that I found explicitly or implicitly indicated a meaningful use of the certificate policies entry in a CSR. On the other hand the semantics of this entry means that it can be used to check whether the certificate issuer has a policy that allows the relying party to trust it, and thus accept the data signed using the private key associated with the certificate's public key component. The certificate is a kind of ID document for the data sent and its relation to its originator. In this sense putting a certificate policy in a CSR is like requesting the issuance of a passport based on the requester's wishes not the policy of the public authority issuing the document. Allowing a certificate policy entry in the CSR without considering it for the issuance of a certificate would be consistent with the semantics of the certification policies, but pure nonsense. let's say that for any reason the Certificate requester wants to add a certificate policies extension in the CSR. Is this syntax correct:? add_ext(exts, NID_certificate_policies, 1.3.6.1); (based on function mkreq() in file openssl/demos/x509/openssl/demos/x509/mkreq.c) Thanks -- View this message in context: http://openssl.6102.n7.nabble.com/adding-certificate-policies-extension-in-CSR-tp46467p46471.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- --- Willy Weisz Computational Science Center University of Vienna Oskar Morgenstern-Platz 1 A-1090 Wien Tel: (+43 1) 4277 - 23724Fax: (+43 1) 4277 - 823724 Mobile: +43 699 10109546 e-mail: willy.we...@univie.ac.at __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
