[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Re: Key usage violation in certificate
|
From: |
Daniel Kahn Gillmor |
|
Subject: |
[Help-gnutls] Re: Key usage violation in certificate |
|
Date: |
Fri, 05 Jun 2009 11:51:55 -0400 |
|
User-agent: |
Mozilla-Thunderbird 2.0.0.19 (X11/20090103) |
On 06/05/2009 07:42 AM, Simon Josefsson wrote:
> The same concerns applies to https/ldaps: if the KeySign key usage isn't
> permitted, you can't use DHE ciphersuites. That seems sub-optimal, but
> could be intentional for some strange reason.
if eDirectory is just ldaps then i totally agree with you -- i'm afraid
i didn't bother to learn more about eDirectory or YaST or whatever, as
i'm not generally a novell or suse user.
it's also weird that they do not set the critical flag on their keyUsage
extension (CA=FALSE), contravening a SHOULD in the RFC. it's not
completely outrageous, but it seems like they'd want to have a good
justification for deviating from the SHOULD, particularly because of the
semantics of that extension (you really don't want any software to
mistakenly treat an EE cert as a CA cert).
anyway, i don't know much detail about SuSE bug reporting mechanisms --
i'm hoping that https://bugzilla.novell.com/show_bug.cgi?id=508844 will
be enough to get someone to poke the YaST devs about it, and maybe they
can follow up here if they have more questions about their use of X.509.
Regards,
--dkg
signature.asc
Description: OpenPGP digital signature