[Help-gnutls] Re: Key usage violation in certificate

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Jun 5 17:51:55 CEST 2009


On 06/05/2009 07:42 AM, Simon Josefsson wrote:
> The same concerns applies to https/ldaps: if the KeySign key usage isn't
> permitted, you can't use DHE ciphersuites.  That seems sub-optimal, but
> could be intentional for some strange reason.

if eDirectory is just ldaps then i totally agree with you -- i'm afraid
i didn't bother to learn more about eDirectory or YaST or whatever, as
i'm not generally a novell or suse user.

it's also weird that they do not set the critical flag on their keyUsage
extension (CA=FALSE), contravening a SHOULD in the RFC.  it's not
completely outrageous, but it seems like they'd want to have a good
justification for deviating from the SHOULD, particularly because of the
semantics of that extension (you really don't want any software to
mistakenly treat an EE cert as a CA cert).

anyway, i don't know much detail about SuSE bug reporting mechanisms --
i'm hoping that  https://bugzilla.novell.com/show_bug.cgi?id=508844 will
be enough to get someone to poke the YaST devs about it, and maybe they
can follow up here if they have more questions about their use of X.509.

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090605/b0b2737b/attachment.pgp>


More information about the Gnutls-help mailing list