[PKI] Does www.microsoft.com violate RFC5280?
Hi all,
can anyone explain what exactly is a purpose of the id-ad-caIssuers field in the
AIA extension? RFC5280 says the following:
In a public key certificate, the id-ad-caIssuers OID is used when the
additional information lists certificates that were issued to the CA
that issued the certificate containing this extension. The
referenced CA issuers description is intended to aid certificate
users in the selection of a certification path that terminates at a
point trusted by the certificate user.
So, id-ad-caIssuers should contain CA cert that is at least two levels above the certificate that contains the AIA extension.
Let's follow some example. Going at https://www.microsoft.com we can see to following server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6c:a3:b5:d3:00:08:00:02:61:57
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=com, DC=microsoft, DC=corp, DC=redmond, CN=Microsoft Secure Server Authority
Validity
Not Before: Jan 25 23:21:33 2012 GMT
Not After : Jan 24 23:21:33 2013 GMT
Subject: C=US, ST=WA, L=Redmond, O=MSCOM, OU=MS, CN=www.microsoft.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:aa:97:c0:6f:93:78:02:15:a8:54:c6:d1:e7:fc:
f0:5f:42:26:0f:16:81:b2:5f:e2:b7:0b:f4:7e:3c:
22:27:67:73:2a:2a:f8:41:ff:32:28:2f:30:1a:ea:
94:50:96:52:e6:89:00:43:5d:22:7f:d3:21:89:94:
9a:12:6b:cd:1e:ae:53:6c:74:3c:6f:37:f6:c5:15:
22:b7:97:0e:2d:c0:99:36:31:3d:65:e0:2b:1f:d2:
32:bc:ef:d8:26:e7:82:31:64:45:85:58:19:67:e3:
ea:14:dc:5b:25:ed:b1:ff:58:7a:17:14:64:d2:35:
9b:01:2d:5d:0a:c7:7c:3a:bd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
S/MIME Capabilities:
......0...`.H.e...*0...`.H.e...-0...`.H.e....0...`.H.e....0...+....0
..*.H..
X509v3 Subject Key Identifier:
B3:ED:AE:A7:6C:7B:2A:6A:1A:54:EC:B6:E9:A1:18:FD:C1:E9:22:A4
X509v3 Authority Key Identifier:
keyid:08:42:E3:DB:4E:11:66:F3:B5:08:C5:40:DB:55:7C:33:46:11:83:38
X509v3 CRL Distribution Points:
URI:http://mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20Secure%20Server%20Authority(8).crl
URI:http://crl.microsoft.com/pki/mscorp/crl/Microsoft%20Secure%20Server%20Authority(8).crl
URI:http://corppki/crl/Microsoft%20Secure%20Server%20Authority(8).crl
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pki/mscorp/Microsoft%20Secure%20Server%20Authority(8).crt
CA Issuers - URI:http://corppki/aia/Microsoft%20Secure%20Server%20Authority(8).crt
1.3.6.1.4.1.311.21.7:
0-.%+.....7.....M..........}...t.O..^...&..d...
1.3.6.1.4.1.311.21.10:
0.0
..+.......0
..+.......
Signature Algorithm: sha1WithRSAEncryption
0b:d9:7a:c3:33:1f:87:bf:7f:c2:26:14:24:07:80:56:07:ce:
39:b2:b1:64:46:39:af:95:54:bd:d0:56:bb:1f:a2:a4:23:b9:
21:1e:3b:9d:59:da:1a:34:97:e1:97:35:96:40:49:bf:f9:fb:
98:de:0d:af:b9:60:20:8c:d4:d3:7d:12:76:d7:9c:e8:cd:59:
c8:7d:65:9f:b2:7c:77:01:36:fd:0e:00:9f:2b:45:fe:c9:31:
2b:0a:14:89:b8:15:4f:ce:14:55:6c:e3:b6:4b:de:16:ed:1b:
61:bf:75:1d:d7:90:a2:ba:80:fe:7f:0b:bb:42:7a:0c:5b:0c:
a6:13:a7:74:25:fa:13:42:af:21:ad:2f:76:64:73:e4:37:34:
03:4c:45:74:b2:04:ea:8e:41:90:20:1f:23:16:fc:9c:73:ad:
c7:ea:07:75:e1:df:72:c7:a3:d1:ab:96:ca:6f:69:df:30:53:
c0:17:ab:d5:9d:87:03:44:c1:3f:95:9c:94:66:42:51:26:9c:
aa:c0:2b:8d:70:73:ef:54:eb:26:aa:db:2e:5c:29:d8:95:7c:
18:c6:8a:2f:dc:93:f4:34:30:c8:11:be:f7:51:e9:86:da:0e:
99:bc:70:c3:98:c8:90:cb:5b:d6:53:81:4e:f3:d1:cf:f7:53:
28:a3:aa:84
Now, let's look at the CA Issuers - URI:http://www.microsoft.com/pki/mscorp/Microsoft%20Secure%20Server%20Authority(8).crt field. It contains URI to Microsoft Secure Server Authority CA certificate which is issuer
of the www.microsoft.com server certificate. It seems that this is a violation of the RFC 5280. Am I right?
Waiting for your feedback.
jinx
April 27th, 2012 1:51pm
Is here any PKI expert? :)
jinx
Free Windows Admin Tool Kit Click here and download it now
April 30th, 2012 2:24am
Is here any PKI expert? :)
jinx
April 30th, 2012 2:24am
> So, id-ad-caIssuers should contain CA cert that is at least two levels above the certificate that contains the AIA extension
this is wrong assumption. AIA extension contains URL to a particular certificate issuer (one level up). And, obviously, there is nothing about violation.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
May 1st, 2012 5:36am
> So, id-ad-caIssuers should contain CA cert that is at least two levels above the certificate that contains the AIA extension
this is wrong assumption. AIA extension contains URL to a particular certificate issuer (one level up). And, obviously, there is nothing about violation.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
May 1st, 2012 5:36am
> So, id-ad-caIssuers should contain CA cert that is at least two levels above the certificate that contains the AIA extension
this is wrong assumption. AIA extension contains URL to a particular certificate issuer (one level up). And, obviously, there is nothing about violation.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Thanks for reply. It seems that there is a small inaccuracy in the RFC document.
-------------------
jinx
Free Windows Admin Tool Kit Click here and download it now
May 2nd, 2012 2:21am
I don't think so. RFC states very clearly:
> the id-ad-caIssuers OID is used when the additional information lists certificates
that were issued to the CA that issued the certificate containing this extension.
leaf certificate contains AIA extensions. Therefore AIA extension contains URLs to a issuer certificate. I don't see any inaccuracy.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
May 2nd, 2012 3:23am
I don't think so. RFC states very clearly:
> the id-ad-caIssuers OID is used when the additional information lists certificates
that were issued to the CA that issued the certificate containing this extension.
leaf certificate contains AIA extensions. Therefore AIA extension contains URLs to a issuer certificate. I don't see any inaccuracy.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
May 2nd, 2012 3:23am
I don't think so. RFC states very clearly:
> the id-ad-caIssuers OID is used when the additional information lists certificates
that were issued to the CA that issued the certificate containing this extension.
leaf certificate contains AIA extensions. Therefore AIA extension contains URLs to a issuer certificate. I don't see any inaccuracy.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Vadims Podans, thanks a lot for the clarification. In the previous RFC doc concerning PKI infrastructure [RFC 3280] there is a following note:
The id-ad-caIssuers OID is used when the additional information lists
CAs that have issued certificates superior to the CA that issued the
certificate containing this extension.
And that makes me confused.
-----------------
jinx
May 2nd, 2012 4:16am
I don't think so. RFC states very clearly:
> the id-ad-caIssuers OID is used when the additional information lists certificates
that were issued to the CA that issued the certificate containing this extension.
leaf certificate contains AIA extensions. Therefore AIA extension contains URLs to a issuer certificate. I don't see any inaccuracy.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Vadims Podans, thanks a lot for the clarification. In the previous RFC doc concerning PKI infrastructure [RFC 3280] there is a following note:
The id-ad-caIssuers OID is used when the additional information lists
CAs that have issued certificates superior to the CA that issued the
certificate containing this extension.
And that makes me confused.
-----------------
jinx
Free Windows Admin Tool Kit Click here and download it now
May 2nd, 2012 4:16am
This sentence means the same. Leaf certificate contains AIA extension and URLs to a certificate issued to superior (actually presented certificate's issuer) CA. Look at the exhibit:
this is how AIA links are generated. Say, this is a 2-tier PKI and bottom cert is leaf (say, SSL cert). As per RFC, AIA refers to a certificate issued to a superior CA. In the exhibit, this is middle certificate. And this certificate is issued by root to
a subordinate. Removing leaf certificate, middle certificate refers to a certificate issued to a superior CA. Since root CA is self-sgned, it is issued to itself. Then middle CA certificate AIA extension contains URL to a self-signed root certificate. And
both, RFC3280 and RFC5280 are correct.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
May 2nd, 2012 5:53am
This topic is archived. No further replies will be accepted.
Other recent topics
