Jump to navigation

Poupou's Corner of the Web

Looking for perfect security? Try a wireless brick.
Otherwise you may find some unperfect stuff here...

Weblog

in chains: The Bad

While the design of X509Chain itself is good, the rest of the (greatly updated in 2.0) System.Security.Cryptography.X509Certficates namespace still lacks a lot of things. How much ? well more than enough to make it impossible, without rewriting a large amount of code, to write your own X509Chain replacement.

Maybe X509Certificate3, and a few other X509*2 classes, will be better than the previous incarnations ? E.g. X509Certificate in Fx1.0, another X509Certificate in WSE1 (and probably updated in WSE2 and WSE3), X509Certificate2 in Fx2.0... Time will tell, until then be glad that Mono has it's own managed X509Certificate in Mono.Security.dll :-)

Some bad news (for a specific implementation) on RFC3280 compatibility too...

Bad results (out of 16 sections)

SectionTest CasesRFC3280MS[1]Mono 
4.6.4Basic Certificate Revocation Test212021[2]
4.6.6Verifying Basic Constraints171417[3]
4.6.7Key Usage535[4]
4.6.16Private Certificate Extensions212[5]

Notes

[1] Tested under Windows XP service pack 2 - YMMV

[2] MS can report RevocationStatusUnknown for a Revoked certificate (if the CRL includes unknown critical extensions)

[3] MS looks for CRL on the self-issued certificate in the chain (it's not the right one to look)

[4] MS doesn't check for the CrlSign key usage (on the CRL's issuer certificate) when validating a CRL

[5] MS report success with certificates containing unknown critical extensions.

and I'm not totally out of bad news...


12/6/2006 16:30:47 | Comments

The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.