[cabfpub] Critical CRL extensions
Yngve N. Pettersen (Developer Opera Software ASA)
yngve at opera.com
Fri Oct 26 22:18:57 UTC 2012
Hi,
The past week I have noticed two reports about sites failing in Opera
12.10 Beta.
The reason for the failures turn out to be that the CRLs specified in the
certificates, include the use of extensions (specifically the reason code
extension) that are marked critical. The crypto library Opera 12.10 uses,
OpenSSL 1.0.1x throws a Critical extension error when noticing this, and
as a result Opera treats the failure as a CRL signature failure, which is
considered a fatal error.
The reason OpenSSL changed behavior is that the IETF PKIX WG recently
changed the recommendations of how critical extensions in CRLs should be
handled, and that unknown critical extensions should cause the CRL
validation to fail.
This is a heads up to consider carefully if a CRL extension really need to
be marked critical. My assumption is that one will only need to do so in
special applications where the relying party software is tightly
controlled, not general WebPKI.
At present this seems to be limited to a single Root CA (Trusted by
several rootstores, but is not a member of the CABForum).
--
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer Email: yngve at opera.com
Opera Software ASA http://www.opera.com/
Phone: +47 96 90 41 51 Fax: +47 23 69 24 01
********************************************************************
More information about the Public
mailing list