RE: What makes a certificate invalid?

[Shanishchara, Kunal]

Hi Daniel,

Thank you for the detailed answers (previous email) and pointing to the
link. These are very helpful. 

I must admit though that I am still unable to comprehend the right
behavior for the particular scenario that I have in mind.

I am going to describe it to the best of my ability. Please find the
description below.



Problem Description:

I have generated my own root certificate, lets say xyz.cer. I use this
root certificate to generate certificates for 2 different FQDNs, lets
say abc.com and def.org. 

Now, I am trying to induce an authentication failure by doing the
following.

1. The server sends the certificate generated for def.org and the client
sends a certificate for abc.com. Both these certificates were generated
using same X.509  certificate xyz.cer.
2. The server expects the client to fail the TLS authentication during
server hello, client hello messaging.
3. Based on the authentication failure, client will fallback to def.org
(as per the higher layer specification) and the successive attempt will
go through.



Questions:

Is the Server correct in expecting an authentication failure in Step 2?

If no, apart from providing invalid certificate with some obvious cause
(expired cert, etc..) is there another way to implement the
functionality on the server?

Thanks in advance. 

Thanks and regards,
Kunal.



-----Original Message-----
From: Daniel Kahn Gillmor [mailto:address@hidden 
Sent: Friday, December 11, 2009 11:23 AM
To: address@hidden
Cc: Shanishchara, Kunal
Subject: Re: What makes a certificate invalid?

On 12/10/2009 07:49 PM, Daniel Kahn Gillmor wrote:
> I'm sure someone else can come up with possible ways i've missed that 
> a certificate could be invalid ;)

i thought of another way this morning:

10) if the certificate contains an X.509v3 extension that is marked
"critical" that it does not know how to process, it MUST reject the
certificate:

  http://tools.ietf.org/html/rfc5280#section-4.2.1.10

hth,

        --dkg


<DIV><FONT size="1">

E-mail confidentiality.
--------------------------------
This e-mail contains confidential and / or privileged information belonging to 
Spirent Communications plc, its affiliates and / or subsidiaries. If you are 
not the intended recipient, you are hereby notified that any disclosure, 
copying, distribution and / or the taking of any action based upon reliance on 
the contents of this transmission is strictly forbidden. If you have received 
this message in error please notify the sender by return e-mail and delete it 
from your system. If you require assistance, please contact our IT department 
at address@hidden

Spirent Communications plc,
Northwood Park, Gatwick Road, Crawley,
West Sussex, RH10 9XN, United Kingdom.
Tel No. +44 (0) 1293 767676
Fax No. +44 (0) 1293 767677

Registered in England Number 470893
Registered at Northwood Park, Gatwick Road, Crawley, West Sussex, RH10 9XN, 
United Kingdom.

Or if within the US,

Spirent Communications,
26750 Agoura Road, Calabasas, CA, 91302, USA.
Tel No. 1-818-676- 2300 

</FONT></DIV>