[security-dev 00880]: Re: CR 6847459 Created, P3 java/classes_secu Allow trust anchor self-issued intermediate version 1 and version 2 certificate (original) (raw)
Weijun Wang Weijun.Wang at Sun.COM
Wed Jun 3 08:51:35 UTC 2009
- Previous message (by thread): [security-dev 00879]: Re: CR 6847459 Created, P3 java/classes_secu Allow trust anchor self-issued intermediate version 1 and version 2 certificate
- Next message (by thread): [security-dev 00881]: Re: CR 6847459 Created, P3 java/classes_secu Allow trust anchor self-issued intermediate version 1 and version 2 certificate
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Xuelei Fan wrote:
Weijun Wang wrote: Maybe you can be even more strict: If the trust anchor (cert[0]) is already v3, cert[1] must also be v3. Is this reasonable?
Currently, the checker know nothing about the trust anchor. If we support above checking, we need to update the checker and let it know the trust anchor's certificate, it is a little bit complex. Trust anchor is not in the certification path, cert[0] is the cert directly issued by the trust anchor. So, maybe, it is reasonable, I don't think it worthy of too many changes.
Oh, that's OK.
I see 'if (i == 1)' so I thought there's a i == 0 cert somewhere.
Thanks Max
Thanks, Andrew
Max
Xuelei Fan wrote:
Weijun Wang wrote:
Xuelei Fan wrote:
Weijun Wang wrote: + // We choose to reject all version 1 and version 2 intermediate + // certificates except that it is self issued by the trust + // anchor in order to support key rollover or changes in + // certificate policies. + int pathLenConstraint = -1; + if (currCert.getVersion() < 3) { // version 1 or version 2 + if (i == 1) { // issued by a trust anchor So, self-issued cert can be only issued by trust anchor, but not an intermediate CA? No, self-issued cert can be issued by any entity, but I choose to reject those self-issued version 1 and version 2 certificates here, because I have no way to understand whether it is a CA or not. One question: what's the version of the trust anchor in the failed test? Is it v1? It is V1, and issue a self-issued V1 certificate for renew the private key, so there is a intermediate V1 CA cert. If so, I think the reason the test fails is because it's written in the v1 age. So my suggestion is that if the trust anchor is v1, then we wouldn't expect the other certs to obey any new rules. Otherwise, if the trust anchor is already v3, the validation should be conformed to the latest RFC. RFC5280 allows V1/V2 certificates, and specified how to handle version 1 and version 2 intermediate CA cert. We can just reject them simply as the spec required. I just think we need to support the special case: key rollover. In practical cases, is there a CA whose self-signed cert is v3, but it issues a self-issued cert of v1? Many, many Verisign root certs are V1, and the intermediate cert are V3. Thanks, Andrew Thanks Max
- Previous message (by thread): [security-dev 00879]: Re: CR 6847459 Created, P3 java/classes_secu Allow trust anchor self-issued intermediate version 1 and version 2 certificate
- Next message (by thread): [security-dev 00881]: Re: CR 6847459 Created, P3 java/classes_secu Allow trust anchor self-issued intermediate version 1 and version 2 certificate
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]