"Dr. Stephen Henson" writes: > > 3. If there is no reference test suite available, should it be assumed > > that there exists no tested, and, therefore with high probability no > > correct, implementation of the certification path validation algorithm > > which handles the policy mappings and name constraints ? > > > > There was some debate about how some options in name constraints should be > interpreted in the PKIX mailing lists not long ago. This suggests that > "correct" may be subject to interpretation :-) > > I've never seen a certificate with either name or policy constraints in the > field or indeed privately. Examples would be useful to check out any future > OpenSSL support for them.
About DPD/DPV: the outcome of this strawpoll http://www.imc.org/ietf-pkix/mail-archive/msg05500.html certainly has implications for this problem. (The immediate implication has been a lot of strawpoll vote message on the pkix mailing list :^) I'm not sure about name constraints options, but there is a recent thread -- December time frame -- about the meaning of the policy extensions. There seem to be a variety of problems here, ranging from "how many policy oids can a cert have", to what this extension means in a CA signing cert (does it describe what policy this CA signs? or under what policy this cert itself was signed? Can it mean both &c). http://www.imc.org/ietf-pkix/mail-archive/msg05207.html Name constraints, because it was set to critical in the PKIX profile, is probably dead. There is very little support for it in the SSL-using universe: openssl doesn't support it at all, except to reject certs that use it; IE may be doing something useful with it in recent versions; no Netscape-ish related browser that I know of does anything useful with it but at least some Mozilla based ones will reject these certs (probably depends on maturity of NSS). This profile has been around since Jan 1999 and this feature is still not widely available. It's quite easy to create certs with name constraints of various types. iPlanet/Netscape CMS support creating them. I believe Microsoft Certificate Services have templates that support this now. The problem is, they are useless to most of us. I have tried to get some examples of this from the US Fed. bridge PKI members, but this has not proved successful. (Presuming, of course, that they do in fact employ them.) There are many certs in production use with policy extensions; the VeriSign end entity certs should provide many examples. I have been intermittently collecting examples of certificates in order to learn industry best practices (and illuminate areas of PKIX or related profiles that are unclear to me). This was for the benefit of computing Grids, look here: http://caops.es.net/ or here for the data: http://caops.es.net/Documents/GGFV/Certificate_Profile.pdf I think enough data has been collected, and intend to push for some discussion on extensions we need/need to avoid & relegate the data to an appendix. If someone wants to contribute to this in some way (discussion, more certificate data &c) please feel free to get in touch with me or get involved in gridforum. Thanks, ==mwh Michael Helm ESnet/LBNL ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
