One hypothetical sane use for a certificate policy extension in a CSR
would be if a CA issues certificates of different types and with
different policies (simple example: Regular SSL certs and EV certs).
Then putting the corresponding policy in the CSR indicates, protected
by the proof-of-possession signature, which certificate type is being
requested.
By checking for (and possibly requiring) a matching certificate policy
extension in the CSR, the CA can prevent the high level attack of
someone changing the exterior (not signed) request documents to ask
for a different certificate type than the key holder wanted.
In fact all the exterior information typically provided outside the CSR
when requesting a certificate from a commercial CA could/should ideally
be placed in CSR extensions, but current standard tools prevent typical
admins from inputting this information during CSR generation, hence the
current use of "minimal" CSRs and web forms.
On 9/9/2013 2:41 PM, Willy Weisz wrote:
Am 09.09.2013 12:13, schrieb phildoch:
Ok. So meanwhile, unless it will be proven that is is illegal,
Looking at the IETF RFCs, none that I found explicitly or implicitly
indicated a meaningful use of the certificate policies entry in a CSR.
On the other hand the semantics of this entry means that it can be used
to check whether the certificate issuer has a policy that allows the
relying party to trust it, and thus accept the data signed using the
private key associated with the certificate's public key component.
The certificate is a kind of ID document for the data sent and its
relation to its originator. In this sense putting a certificate policy
in a CSR is like requesting the issuance of a passport based on the
requester's wishes not the policy of the public authority issuing the
document.
Allowing a certificate policy entry in the CSR without considering it
for the issuance of a certificate would be consistent with the semantics
of the certification policies, but pure nonsense.
let's say that
for any reason the Certificate requester wants to add a "certificate
policies" extension in the CSR.
Is this syntax correct:?
add_ext(exts, NID_certificate_policies, "1.3.6.1");
(based on function mkreq() in file
openssl/demos/x509/openssl/demos/x509/mkreq.c)
Thanks
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
