Poupou's Corner of the Web

While the design of X509Chain itself is good, the rest of the (greatly updated in 2.0) System.Security.Cryptography.X509Certficates namespace still lacks a lot of things. How much ? well more than enough to make it impossible, without rewriting a large amount of code, to write your own X509Chain replacement.

Maybe X509Certificate3, and a few other X509*2 classes, will be better than the previous incarnations ? E.g. X509Certificate in Fx1.0, another X509Certificate in WSE1 (and probably updated in WSE2 and WSE3), X509Certificate2 in Fx2.0... Time will tell, until then be glad that Mono has it's own managed X509Certificate in Mono.Security.dll :-)

Some bad news (for a specific implementation) on RFC3280 compatibility too...

Bad results (out of 16 sections)

Section	Test Cases	RFC3280	MS[1]	Mono
4.6.4	Basic Certificate Revocation Test	21	20	21	[2]
4.6.6	Verifying Basic Constraints	17	14	17	[3]
4.6.7	Key Usage	5	3	5	[4]
4.6.16	Private Certificate Extensions	2	1	2	[5]

Notes

[1] Tested under Windows XP service pack 2 - YMMV

[2] MS can report RevocationStatusUnknown for a Revoked certificate (if the CRL includes unknown critical extensions)

[3] MS looks for CRL on the self-issued certificate in the chain (it's not the right one to look)

[4] MS doesn't check for the CrlSign key usage (on the CRL's issuer certificate) when validating a CRL

[5] MS report success with certificates containing unknown critical extensions.

and I'm not totally out of bad news...