[cabfpub] Critical CRL extensions

Rick Andrews Rick_Andrews at symantec.com
Fri Oct 26 23:55:05 UTC 2012 

Yngve,

The reason code isn't new, and it should be easy to parse. Wouldn't it have been easy for OpenSSL to make this a "known" extension?

-Rick

> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Yngve N. Pettersen (Developer Opera Software ASA)
> Sent: Friday, October 26, 2012 3:19 PM
> To: public at cabforum.org
> Subject: [cabfpub] Critical CRL extensions
> 
> Hi,
> 
> The past week I have noticed two reports about sites failing in Opera
> 12.10 Beta.
> 
> The reason for the failures turn out to be that the CRLs specified in
> the
> certificates, include the use of extensions (specifically the reason
> code
> extension)  that are marked critical. The crypto library Opera 12.10
> uses,
> OpenSSL 1.0.1x throws a Critical extension error when noticing this,
> and
> as a result Opera treats the failure as a CRL signature failure, which
> is
> considered a fatal error.
> 
> The reason OpenSSL changed behavior is that the IETF PKIX WG recently
> changed the recommendations of how critical extensions in CRLs should
> be
> handled, and that unknown critical extensions should cause the CRL
> validation to fail.
> 
> This is a heads up to consider carefully if a CRL extension really need
> to
> be marked critical. My assumption is that one will only need to do so
> in
> special applications where the relying party software is tightly
> controlled, not general WebPKI.
> 
> At present this seems to be limited to a single Root CA (Trusted by
> several rootstores, but is not a member of the CABForum).
> 
> --
> Sincerely,
> Yngve N. Pettersen
> ********************************************************************
> Senior Developer		     Email: yngve at opera.com
> Opera Software ASA                   http://www.opera.com/
> Phone:  +47 96 90 41 51              Fax:    +47 23 69 24 01
> ********************************************************************
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list