Based on a dialog that said "unknown critical extension"
I've never seen that dialog on Netscape, though I've seen IE produce it. What I'm saying is that stepup uses EKU (among other things) to identify its certificates Netscape 4.[something] did support stepup so presumably it at least partially parsed EKU. What version rejected critical EKU?
Well, I'm wondering if I remember this wrong. It was definitely IE
that required the dates to nest, but it MIGHT have been IE that said
this dialog as well. I remember my initial development setup was
Netscape 4.72 on a Macintosh and an Apache 1.x server running on my (Debian) Linux machine, and I did discover this problem fairly late
in the process, so it COULD be that I discovered it while testing
with IE (I believe it was 5).
The problem was that this Win 98 system is the one I cross boot with Debian, so I couldn't use it as a client until the PKI was migrated to a Solaris box, and that happened relatively late in the process.
We have jealousy problems here with "machine counts", so I can only have two machines on my desk. So I do a lot of testing with the machines at home and with laptops that are not in the face of the jealous ones...
Guess I'm getting old. My SO is a college professor, and she was so worried about her tendancy to forget her train of thought in the middle of class that she got an MRI this week. I just chalk it up to our getting old.
Setting anything to critical may cause problems for older clients because at least one version of IE rejects anything that's critical> even if it does recognize it.
>> (absent the critical bit) then IMHO it is broken too. Grump.... if IE rejects anything that is critical even if it does recognize it
Well its only an older version of IE that does that, the current stuff> doesn't though it has its own weirdness.
Now I wonder if I misread you again. You are saying
"if it does recognize it"
does that mean 1) it allows it (possibly by not knowing about it at all) or 2) it actually recognizes it and does something different
In case 1, yes, it seems OK to reject something critical that you don't know about, while 2, seems to me if you do something different when it is present you shouldn't give a tinkers dam about the critical bit. That's what the definition of the critical bit IS, and IMHO software that recognizes the extension to the point of assigning it semantic meaning should NOT reject it just for being critical, and software that does so is broken. Grump.
This will get much more fun when if and when things like nameConstraints become more common. The latest IE already displays that but does something strange and the standards are ambiguous too...
Well, let this be a warning to EVERYBODY OUT THERE that you need to consider the possibility that some of your clients may be broken and not doing the documented right thing (and being on a Dean's desk where you haven't a chance in the world of getting it thrown out :-) and be sure to test if you do use any of the new groovy features...
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
