'Re: IE3.02 and X.509v3 Certificate Authorities (Doesn't Work)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ms-cryptoapi
Subject:    Re: IE3.02 and X.509v3 Certificate Authorities (Doesn't Work)
From:       "Lusk, Steve" <Steve.Lusk () GSC ! GTE ! COM>
Date:       1997-05-09 12:49:07
[Download RAW message or body]


Could MS clarify how they will be supporting extensions?  Here is a note
I posted on SSL-Talk, and only Netscape responded. Any info from MS
would be appreciated.

Thanks
Steve

------------------------------------------------------------------------
--------------------

Is there any info on how certificate enabled products will use the
extensions
defined in PKIX. For example,
        Authority Key Identifier - Will the products display the Key
Identifier
        or the Issuer DN and serial # field to the user to see, or will
any
        other checks occur.

        Key Usage - will they check that the extension is marked
critical, and
        expect it to be set to keyCertSign for CAs, or are no checks
performed.

        Basic Constraints - will they check that CA certificates are set
to CA,
        and server/client certificates are set to end entity. And will
they
        check path length constraints.

And the other extensions as well. As detailed as PKIX is, how the end
products use the extensions is may influence what extensions are used
and how they are populated.

Any info you might have would be appreciated.

Thanks,
Steve



> ----------
> From:         Ian Clysdale[SMTP:iclysdal@calum.csclub.uwaterloo.ca]
> Sent:         Friday, April 18, 1997 7:41 AM
> To:   cryptoapi@listserv.msn.com
> Cc:   ssl-talk@netscape.com
> Subject:      IE3.02 and X.509v3 Certificate Authorities (Doesn't
> Work)
>
>
> Hi there.
>
> I've been playing around with IE 3.02 and CAs other than the root CAs
> that are distributed as part of the default installation, and came
> across
> two things that were, to say the least, very strange.
>
> First:
>
> Microsoft seems to have disabled support for v3 Certificate
> Authorities
> in IE 3.02.  Initially, I tried importing a self-generated CA
> certificate
> into 3.02.  I then tried to connect to a site with a server
> certificate
> signed by that CA, and promptly got the message that "The server you
> are
> trying to connect to is signed by an unknown Certificate Authority."
>
> So, I started trying to figure out what was happening, since the same
> CA
> certificate and server combination had worked perfectly under IE 3.01.
> I
> then tried the VeriSign Test Server CA certificate, and a server that
> I
> had certified by the VeriSign Test Server.  Sure enough, I couldn't
> connect to that server either.  I then went to XCert, downloaded their
>
> demonstration CA cert, and tried to connect to their demonstration SSL
>
> site.  No luck.  In all cases the message that "The server you are
> trying
> to connect to is signed by an unknown Certificate Authority," even
> though
> in all cases I could see the relevant CA certificate in the "Sites"
> dialog box.
>
> While I'm not certain, my guess is that IE 3.02 is not capable of
> handling X.509v3 CA certificates, because that is the only common
> thread
> that I could find.  I took a look at all of the certificates that were
>
> distributed with IE 3.02, and they were ALL X.509v1.  My CA
> certificate
> which did not work was X.509v3, and the VeriSign Test Server CA
> certificate was also X.509v3.  (I didn't get a chance to look at
> XCert's
> yet.)
>
> Second Strange Thing:
>
> While I was trying to figure out exactly what was happening, for a
> while
> I entertained the notion that only some "hardcoded" certificates would
>
> work with IE 3.02, and that imported CA certificates were completely
> ignored.  I now think that that is slightly less likely, but came
> across
> something that was very bizarre.
>
> To see if the certificates in the registry were used at all, I deleted
>
> all of them, and then tried to connect to VeriSign's DigitalID site.
> Not
> only did IE 3.02 connect over SSL (without giving ANY warnings), but
> it
> RECREATED all of the certificates that are shipped by default with IE
> 3.02.
>
> This means that it is impossible to delete any of those CA
> certificates.
> And while it is possible to mark them as untrusted, nonetheless it is
> a
> large security hole if people think they have deleted a CA and it is
> transparently regenerated without even giving a message.
>
>
>
>
> Has anyone else noticed this kind of behaviour?  Is this a known
> problem
> with IE 3.02 that I just haven't heard anything about?  The sudden
> disappearance of the capacity for X.509v3 certificates between IE 3.01
>
> and 3.02 is very puzzling...
>
> Thanks for listening...
>                                               ian
>
>
>
>
>

----------------------------------------------------------------
Users Guide http://www.microsoft.com/sitebuilder/resource/mailfaq.asp
contains important info including how to unsubscribe.  Save time, search
the archives at http://microsoft.ease.lsoft.com/archives/index.html

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic