Re: Timestamp validation checks critical flag on EKU

Christian: No, RFC 5280 does not obsolete RFC 3161. RFC 5280 obsoletes RFCs 3280, 4325, and 4630. Anyway, RFC 5280 and RFC 3161 are consistent. RFC 5280 says that the certificate issuer can make the EKU extension critical or non-critical. RFC 3161 says that for use with the Time-Stamp Protoc

Re: Timestamp validation checks critical flag on EKU

Dear Russ, thanks for your reply. OK, i got it, but RFC 5280 obsoletes RFC 3161 and says: 4.2.1.12 . Extended Key Usage This extension indicates one or more purposes for which the certified public key may be used, in addi

OpenSSL Security Advisory

issues on OpenSSL 1.1.0 has not been analysed. Users of these versions should upgrade to OpenSSL 3.0 or 1.1.1. References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20220128.txt Note: the online version of the advisory may be updated with additional details

Re: Timestamp validation checks critical flag on EKU

RFC 3161 says: 2.3. Identification of the TSA The TSA MUST sign each time-stamp message with a key reserved specifically for that purpose. A TSA MAY have distinct private keys, e.g., to accommodate different policies, different algorithms, different private key sizes or to increase t

Timestamp validation checks critical flag on EKU

Dear OpenSSL users, recently we checked an older timestamp using the OpenSSL Library version 1.1.1i. The check revealed, that the timestamp verification failed. Digging into the code we found that if an eku entry for timestamping is preset it is expected to be marked critical (see v3_purp.c: