[ntp:questions] trustRoot/private OID/strings?

Erwann Abalea erwann.abalea at keynectis.com
Thu Nov 28 16:30:47 UTC 2013


I don't know if this should go here of to ntpwg list.

Reading RFC5906, an EKU named "trustRoot" is used to indicate that the 
self-signed certificate should be trusted, and an EKU "private" is used 
to indicate that a certificate is private. Annex J looks for strings 
"trustRoot" and "private" in the EKU extension.

There are several remarks on this:
  - the ExtendedKeyUsage extension contains only object identifiers, not 
strings; therefore, you should search for specific OIDs
  - there's no "trustRoot" OID defined, nowhere
  - there's a "private" OID defined, its value is, it belongs 
to IANA and its semantic has nothing to do with private certificates or NTP
  - the ntp reference software compares the text representation of OIDs 
found in the EKU extension with "Trust Root" and "Private", which are 
long form representations only present in OpenSSL
  - the trustRoot OID defined in OpenSSL belongs to the id-pkix-ocsp 
arc, it was probably added because someone needed one for a draft OCSP 
evolution, but shouldn't be here (no such thing has ever been 
standardized), and may be removed in the future
  - a self-signed certificate you receive is not trusted because it 
contains a magical value

How can interoperability be achieved?


More information about the questions mailing list