[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: What makes a certificate invalid?
From: |
Shanishchara, Kunal |
Subject: |
RE: What makes a certificate invalid? |
Date: |
Fri, 11 Dec 2009 11:54:10 -0500 |
Hi Daniel,
Thank you for the detailed answers (previous email) and pointing to the
link. These are very helpful.
I must admit though that I am still unable to comprehend the right
behavior for the particular scenario that I have in mind.
I am going to describe it to the best of my ability. Please find the
description below.
Problem Description:
I have generated my own root certificate, lets say xyz.cer. I use this
root certificate to generate certificates for 2 different FQDNs, lets
say abc.com and def.org.
Now, I am trying to induce an authentication failure by doing the
following.
1. The server sends the certificate generated for def.org and the client
sends a certificate for abc.com. Both these certificates were generated
using same X.509 certificate xyz.cer.
2. The server expects the client to fail the TLS authentication during
server hello, client hello messaging.
3. Based on the authentication failure, client will fallback to def.org
(as per the higher layer specification) and the successive attempt will
go through.
Questions:
Is the Server correct in expecting an authentication failure in Step 2?
If no, apart from providing invalid certificate with some obvious cause
(expired cert, etc..) is there another way to implement the
functionality on the server?
Thanks in advance.
Thanks and regards,
Kunal.
-----Original Message-----
From: Daniel Kahn Gillmor [mailto:address@hidden
Sent: Friday, December 11, 2009 11:23 AM
To: address@hidden
Cc: Shanishchara, Kunal
Subject: Re: What makes a certificate invalid?
On 12/10/2009 07:49 PM, Daniel Kahn Gillmor wrote:
> I'm sure someone else can come up with possible ways i've missed that
> a certificate could be invalid ;)
i thought of another way this morning:
10) if the certificate contains an X.509v3 extension that is marked
"critical" that it does not know how to process, it MUST reject the
certificate:
http://tools.ietf.org/html/rfc5280#section-4.2.1.10
hth,
--dkg
<DIV><FONT size="1">
E-mail confidentiality.
--------------------------------
This e-mail contains confidential and / or privileged information belonging to
Spirent Communications plc, its affiliates and / or subsidiaries. If you are
not the intended recipient, you are hereby notified that any disclosure,
copying, distribution and / or the taking of any action based upon reliance on
the contents of this transmission is strictly forbidden. If you have received
this message in error please notify the sender by return e-mail and delete it
from your system. If you require assistance, please contact our IT department
at address@hidden
Spirent Communications plc,
Northwood Park, Gatwick Road, Crawley,
West Sussex, RH10 9XN, United Kingdom.
Tel No. +44 (0) 1293 767676
Fax No. +44 (0) 1293 767677
Registered in England Number 470893
Registered at Northwood Park, Gatwick Road, Crawley, West Sussex, RH10 9XN,
United Kingdom.
Or if within the US,
Spirent Communications,
26750 Agoura Road, Calabasas, CA, 91302, USA.
Tel No. 1-818-676- 2300
</FONT></DIV>
Re: What makes a certificate invalid?, Rupert Kittinger-Sereinig, 2009/12/11