Cross-posted as relevant to Smart Card Services from Apple Fed-talk. ------ Forwarded Message From: "Disiena, Ridley J. (GRC-VO00)[DB Consulting Group, Inc.]" <obscured> Date: Mon, 3 Jan 2011 14:34:52 -0600 To: "fed-talk@lists.apple.com" <fed-talk@lists.apple.com> Subject: [Fed-Talk] PKI Certificate ³Name Constraints² extension treated as an unknown critical extension Issue: OS X 10.5.x & 10.6.x treats the ³Name Constraints² extension as an unknown critical extension and therefore treats the certificate as invalid due to "unrecognized critical extension". I know there are previous threads on this subject for current live certificates of particular agencies and DoD and we know that this issue is because OS X does not recognize the extension yet. I'm bringing this back up on the list because due this issue is likely to plague Federal OS X users and their customers for the foreseeable future until resolved by Apple since several proposed new Federal Bridge Certificates will likely have such a critical extension. This is news to me since the last posting on the subject, I had hoped newly issues certificates would not be effected but at this time that appears that will not be the case. Complications: Since the effected Federal Bridge cross certificates will be found in the PKCS#7 bundles found via validation of AIA locations of Federal Agency certificates, applications that use OS X¹s certificate security functionality including the OS X operating system itself, will treat certificates that are valid, falsely as invalid due to very outdated libraries. As mentioned in a previous post, the openSSL library has been updated to recognize and use the Critical Name Extension as of 0.9.8 released 5 years ago, and the PKI definition of the ³Name Constraints² extension is now 12 years old. If this is the case, this is not an issue with the certificates, it is a case of severely out dated PKI libraries in OS X. I have put in a bug report [which will likely get sent back as duplicate and closed] and am following up with Enterprise Support but since this issue has been occurring for 2 OS versions already with no response from Apple on related posts, I wanted to make the other Federal folks involved with PKI aware, that at this time, it appears we will be effected for the foreseeable future, until Apple addresses the issue. FPKI is being made aware of the issue but in looking at how long ago these extensions were defined in best practices documentation, it looks like the issue is on the Apple side, with OS X failing to recognize / utilize recent libraries, and not so recent standards. Related Fed-Talk Posts: Related name constraints noted on Fed-Talk April 2010 PKI Certificates - Unknown Critical Extensions causing problems... http://lists.apple.com/archives/fed-talk/2010/Apr/msg00005.html http://lists.apple.com/archives/fed-talk/2010/Apr/msg00006.html ³Also, it looks like the *key* security binaries and/or Frameworks are *STATICALLY* linked to the 'old' OpenSSL libraries² Related name constraints noted on Fed-Talk December 2010 http://lists.apple.com/archives/fed-talk/2010/Apr/msg00008.html http://lists.apple.com/archives/fed-talk/2010/Nov/msg00177.html Related policy constraints noted on Fed-Talk October 2009 http://lists.apple.com/archives/apple-cdsa/2009/Oct/msg00002.html Backup Information: OpenSSL 0.9.8 released Tue, 05 Jul 2005 [ Over 5 years ago ] http://www.mail-archive.com/openssl-announce@openssl.org/msg00063.html ---> * Added support for certificate policy mappings, policy constraints and name constraints. <--- IETF Document Definition of ³Name Constraints² extension: January 1999 [12 Years ago] http://www.ietf.org/rfc/rfc2459.txt Housley, et. al. Standards Track [Page 34] RFC 2459 Internet X.509 Public Key Infrastructure January 1999 ---> 4.2.1.11 Name Constraints ------ End of Forwarded Message __________________________________________________________________________ This email message is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.