>I explained the rollover certificate process outlined in RFC 4210 by signing
>the old public key with the new private key and the new public key with the
>old private key.
Uhh, that stuff was a gedanken experiment dreamed up by some folks in PKIX,
alongside things like PKIX path-kludge certificates, not something you're
supposed to rely on in real life. I'd be really surprised if any generic
implementation actually handled those things the way PKIX imagined they will.
I certainly wouldn't risk deploying one of those things on the assumption that
it'll be handled properly. The path-kludge in particular looks like something
that was designed to make PKIs break.
Peter.
>However, that does not means our PKIX (RFC-5280) conforimg implementation
>will cause errors or bugs to current implementations of browsers.
Given all the bizarre stuff that ended up in the PKIX spec, it would be quite
easy to create a fully PKIX-compliant cert that had all manner of strange and
unexpected interactions with browsers (see my previous message for examples).
The skill required for deploying certs is to know (or at least have a general
idea of) what will happen to them in the wild, not to assume that whatever
peculiar thing the PKIX spec says is actually implemented by anyone.
>Actually, in RFC 5280 as well as the original X.509 standard, the recommended
>official way to distinguish the different generation of CA certificates is by
>using the chaining of the Issuer Key Identifier extension and Subject Key
>Identifier extension (as you mentioned) in certification path processing.
OK, that's one of the less crazy things in the spec, but it still doesn't
guarantee that much, if anything, does it that way. In practice, you chain by
DN, not by key ID.
Peter.
>Actually, we have tested the capabilities of many browsers in the wild and
>found they can live peacefully with our PKIX-compliant root certs.
Ah, OK. That's the right way to do it.
>They are not so weak as you might think.
I bet I can create PKIX-compliant certs (specifically, cert chains) that would
break any browser :-). But yeah, if you go and test each browser you can
create lowest-common-denominator certs that should work in general.
Peter.
>Indeed, and as per your comment here:
>https://bugzilla.mozilla.org/show_bug.cgi?id=1056341#c24
So just to satisfy my curiosity, it's been known ever since top-down
construction was first advocated by PKI loon^H^H^Htheoreticians:
https://www.youtube.com/watch?v=CoOrmK4OueY
that you work bottom-up, not top-down. If that's not obvious just from about
a beer's worth of analysis then it should have been when one of said PKI
theoreticians described trying to implement it at a conference and pointed out
that his implementation ran for three days without terminating, after which he
tried the same thing again.
Did no-one see that this was going to happen? Why would anyone try and do it
this way? Rather baffled minds want to know...
Peter.
>Did no-one see that this was going to happen? Why would anyone try and do it
>this way? Rather baffled minds want to know...
Is no-one at Mozilla able to explain why they did this? It's a nontrivial
piece of code to implement, surely someone must know what the thinking was
behind doing it this way?
Peter.
>Peter: you are going to have to re-summarise your question. And then, if you
>are asking why Mozilla code works in a certain way, mozilla.dev.security or
>mozilla.dev.tech.crypto are almost certainly far better venues.
Sure, no problem. I was just replying to a post by Kathleen on this list, and
it seemed like a policy issue so I figured it was the right forum. I'll CC it
to dev.security as well...
The original post was about the fact the Mozilla runs into lots of problems
with top-down path construction:
>Indeed, and as per your comment here:
>https://bugzilla.mozilla.org/show_bug.cgi?id=1056341#c24
I asked:
So just to satisfy my curiosity, it's been known ever since top-down
construction was first advocated by PKI loon^H^H^Htheoreticians:
https://www.youtube.com/watch?v=CoOrmK4OueY
that you work bottom-up, not top-down. If that's not obvious just from about
a beer's worth of analysis then it should have been when one of said PKI
theoreticians described trying to implement it at a conference and pointed out
that his implementation ran for three days without terminating, after which he
tried the same thing again.
Did no-one see that this was going to happen? Why would anyone try and do it
this way? Rather baffled minds want to know...
Peter.