View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
000189310000-006: Mappingspublic2012-02-22 18:082012-06-12 17:19
ReporterHannes Mezger Assigned ToRandy Armstrong  
PriorityhighSeverityfeatureReproducibilityalways
Status closedResolutionfixed 
Fixed in Version1.02 
Summary0001893: Make 'X509 'Authority Key Identifier' extension mandatory for application instance certificates
Description

According to RFC 3280, the 'Authority Key Identifier' extension is mandatory for certificates signed by CAs. For self-signed CA- and non-CA-certificates this extension is optional.

This leads to following problem:

  • Server creates it's self-signed cert (A)
  • Cert (A) is copied to client trust cert store
  • Server cert gets invalid (e.g. expires), so a new one (B) is created
  • Cert (B) is copied to client trust cert store

Now the client connects to the server, the server sends it's cert to the client and the client PKI provider looks if the cert is trusted. When searching for the issuer cert of the server cert, it compares the Issuer of the server cert with the Subject of the certs in it's store.

If now the first cert looked at is (A), the compare returns true (Subject and Issuer of (A) and (B) are the same), and the signature of the server cert is checked. This check fails, as the signature of (B) is made with the key of (B), and the connection attempt will fail.

Adding the 'Authority Key Identifier' (AKID) extension to the certificates would prevent this problem, as PKI providers check this extension if existing when searching for an issuer certificate. The AKID would be different in (A) and (B), as the keys used in the certificates would be different.

This is why the 'Authority Key Identifier' extension should be made mandatory for all application instance certificates.

Additional Information

http://www.ietf.org/rfc/rfc3280.txt
-> 4.2.1.1 Authority Key Identifier

http://www.openssl.org/docs/apps/verify.html
-> VERIFY OPERATION

TagsNo tags attached.
Commit Version
Fix Due Date

Relationships

related to 0002032 closedMatthias Damm 10000-004: Services Make 'X509 'Authority Key Identifier' extension mandatory for application instance certificates 

Activities

Randy Armstrong

2012-05-03 15:42

administrator   ~0003631

Added authorityKeyIdentifier to the table. Note that it is required for CA certficates but only make it a 'should' for self-signed because this IOP problem can be avoided by deleting the old certificates when new ones are issued.

Updated RC 1.02.10

Jim Luth

2012-06-12 17:19

administrator   ~0003730

Reviewed and agreed to change in 1.02.13

Issue History

Date Modified Username Field Change
2012-02-22 18:08 Hannes Mezger New Issue
2012-02-22 18:09 Hannes Mezger Description Updated
2012-02-22 18:10 Hannes Mezger Status new => assigned
2012-02-22 18:10 Hannes Mezger Assigned To => Randy Armstrong
2012-05-03 15:42 Randy Armstrong Status assigned => resolved
2012-05-03 15:42 Randy Armstrong Resolution open => fixed
2012-05-03 15:42 Randy Armstrong Note Added: 0003631
2012-05-08 19:49 Jim Luth Issue cloned: 0002032
2012-05-08 19:49 Jim Luth Relationship added related to 0002032
2012-06-12 17:19 Jim Luth Status resolved => closed
2012-06-12 17:19 Jim Luth Note Added: 0003730
2012-06-12 17:19 Jim Luth Fixed in Version => 1.02