[ntp:questions] trustRoot/private OID/strings?
erwann.abalea at keynectis.com
Thu Nov 28 16:30:47 UTC 2013
I don't know if this should go here of to ntpwg list.
Reading RFC5906, an EKU named "trustRoot" is used to indicate that the
self-signed certificate should be trusted, and an EKU "private" is used
to indicate that a certificate is private. Annex J looks for strings
"trustRoot" and "private" in the EKU extension.
There are several remarks on this:
- the ExtendedKeyUsage extension contains only object identifiers, not
strings; therefore, you should search for specific OIDs
- there's no "trustRoot" OID defined, nowhere
- there's a "private" OID defined, its value is 188.8.131.52.4, it belongs
to IANA and its semantic has nothing to do with private certificates or NTP
- the ntp reference software compares the text representation of OIDs
found in the EKU extension with "Trust Root" and "Private", which are
long form representations only present in OpenSSL
- the trustRoot OID defined in OpenSSL belongs to the id-pkix-ocsp
arc, it was probably added because someone needed one for a draft OCSP
evolution, but shouldn't be here (no such thing has ever been
standardized), and may be removed in the future
- a self-signed certificate you receive is not trusted because it
contains a magical value
How can interoperability be achieved?
More information about the questions