Why questions are particularly difficult to answer.
I guess the real answer is: because the programmer who wrote the software in question decided to program it that way.
The "critical" bit was intended to be an aid to software upgrade: Suppose you are trying to support a mix of old and new software, where the old software does not know about a particular extension but the new software does. Presumably the new software knows the proper way to deal with the extension. For the old software, the critical bit provides a "hint" of what to do. If the critical bit is not set, the software is free to ignore the extension. If the critical bit is set, the software should reject the certificate.
But this is only for the old software, which does not know about the particular extension. In the case you describe, the software DOES know about the Extended Key Usage extension, so the critical bit does not make any difference.
Even though the text description could be read to support your interpretation, note the operant sentance:
"Certificate using applications may nevertheless require that a particular purpose be indicated in order for the certificate to be acceptable to that application."
This leaves the final decision up to the implementor, in this case OpenSSL. The certificate in question is marked for the purpose of client-side authentication (I think this is right) which means it belongs to a person and can be used by that person to prove to a web server who he or she is, AFTER that server has used a Server Side certificate to prove who IT is.
Sorry, I don't know enough about MS CS W2K to advise you if it is difficult, easy, or impossible to add the additional purpose bits at the point the certificate is generated.
> Accorind to RFC 2459:
> If the Extended key usage field is flagged critical, the certificate MUST be used only for one of the purposes indicated.
> If the extension is flagged non-critical, then it indicates the intended purpose or purposes of the key, and may be used in finding the correct key/certificate of an entity that has multiple keys/certificates. It is an advisory field and does not imply that usage of the key is restricted by the certification authority to the purpose indicated. Certificate using applications may nevertheless require that a particular purpose be indicated in order for the
> certificate to be acceptable to that application.
> I have a certificate (generated with MS Certificate Services W2K).
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 2c:fd:65:6e:00:00:00:00:01:79
> Signature Algorithm: sha1WithRSAEncryption
> ..bla-bla...
> X509v3 extensions:
> X509v3 Key Usage: critical
> Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
> X509v3 Extended Key Usage:
> TLS Web Client Authentication
> Extended key usage in not flagged as critical.
> But I can't use them for smime encoding
>
>>openssl verify -CAfile CA.cer -verbose -purpose smimesign text.cer
>
> error 26 at 0 depth lookup:unsupported certificate purpose
> From man:
> x509(1)
> CERTIFICATE EXTENSIONS
> The extended key usage extension places additional restrictions on the certificate uses. If this extension is present (whether critical or not) the key can only be used for the purposes specified.
> Why?
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
