[SmartcardServices-Users] FW: [Fed-Talk] PKI Certificate ³Name Constraints² extension treated as an unknown critical extension

Dan O'Donnell odonnell at rand.org
Mon Jan 3 13:14:58 PST 2011 

Cross-posted as relevant to Smart Card Services from Apple Fed-talk.

------ Forwarded Message
From: "Disiena, Ridley J. (GRC-VO00)[DB Consulting Group,  Inc.]" <obscured>
Date: Mon, 3 Jan 2011 14:34:52 -0600
To: "fed-talk at lists.apple.com" <fed-talk at lists.apple.com>
Subject: [Fed-Talk] PKI Certificate ³Name Constraints² extension treated as
an unknown critical extension


Issue: OS X 10.5.x & 10.6.x treats the ³Name Constraints² extension as an
unknown critical extension and therefore treats the certificate as invalid
due to "unrecognized critical extension".

I know there are previous threads on this subject for current live
certificates of particular agencies and DoD and we know that this issue is
because OS X does not recognize the extension yet.  I'm bringing this back
up on the list because due this issue is likely to plague Federal OS X users
and their customers for the foreseeable future until resolved by Apple since
several proposed new Federal Bridge Certificates will likely have such a
critical extension.  This is news to me since the last posting on the
subject, I had hoped newly issues certificates would not be effected but at
this time that appears that will not be the case.

Complications: Since the effected Federal Bridge cross certificates will be
found in the PKCS#7 bundles found via validation of AIA locations of Federal
Agency certificates, applications that use OS X¹s certificate security
functionality including the OS X operating system itself, will treat
certificates that are valid, falsely as invalid due to very outdated
libraries.  As mentioned in a previous post, the openSSL library has been
updated to recognize and use the Critical Name Extension as of 0.9.8
released 5 years ago, and the PKI definition of the ³Name Constraints²
extension is now 12 years old.  If this is the case, this is not an issue
with the certificates, it is a case of severely out dated PKI libraries in
OS X.

I have put in a bug report [which will likely get sent back as duplicate and
closed] and am following up with Enterprise Support but since this issue has
been occurring for 2 OS versions already with no response from Apple on
related posts, I wanted to make the other Federal folks involved with PKI
aware, that at this time, it appears we will be effected for the foreseeable
future, until Apple addresses the issue.  FPKI is being made aware of the
issue but in looking at how long ago these extensions were defined in best
practices documentation, it looks like the issue is on the Apple side, with
OS X failing to recognize / utilize recent libraries, and not so recent
standards.

Related Fed-Talk Posts:

Related name constraints noted on Fed-Talk April 2010
PKI Certificates - Unknown Critical Extensions causing problems...
http://lists.apple.com/archives/fed-talk/2010/Apr/msg00005.html
http://lists.apple.com/archives/fed-talk/2010/Apr/msg00006.html
³Also, it looks like the *key* security binaries and/or Frameworks are
*STATICALLY* linked to the 'old' OpenSSL libraries²

Related name constraints noted on Fed-Talk December 2010
http://lists.apple.com/archives/fed-talk/2010/Apr/msg00008.html
http://lists.apple.com/archives/fed-talk/2010/Nov/msg00177.html

Related policy constraints noted on Fed-Talk October 2009
http://lists.apple.com/archives/apple-cdsa/2009/Oct/msg00002.html


Backup Information:

OpenSSL 0.9.8 released Tue, 05 Jul 2005 [ Over 5 years ago ]
http://www.mail-archive.com/openssl-announce@openssl.org/msg00063.html
--->
* Added support for certificate policy mappings, policy
      constraints and name constraints.
<---

IETF Document Definition of ³Name Constraints² extension: January 1999 [12
Years ago]
http://www.ietf.org/rfc/rfc2459.txt
Housley, et. al.            Standards Track                    [Page 34]
RFC 2459        Internet X.509 Public Key Infrastructure    January 1999
--->
4.2.1.11  Name Constraints



------ End of Forwarded Message


__________________________________________________________________________

This email message is for the sole use of the intended recipient(s) and
may contain confidential information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20110103/edd49573/attachment.html>

More information about the SmartcardServices-Users mailing list