Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 27 Jun 2012 15:39:51 +0200
From: Ludwig Nussel <>
Subject: Re: please verify unusual x.509 constraints are handled

Tavis Ormandy wrote:
> List, just an FYI, I've noticed a Korean CA appears to always set the cA
> bit in the X.509 basicContraints, then uses pathLenConstraint and
> keyUsage bits to restrict the results.
> [...]
> While arguably the X.509 specifications permit this, I find it hard to
> believe that these bits are checked consistently by all implementations.
> AFAICT, GnuTLS does not check these constraints, but OpenSSL does.

One thing I always wonder when x509 certificates come into play is
where to draw the line between missing feature and vulnerability.


  (o_   Ludwig Nussel
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imend├Ârffer, HRB 16746 (AG N├╝rnberg)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.