[cabfpub] CT Precertificates and the BRs

Rick Andrews Rick_Andrews at symantec.com
Tue Jan 14 18:35:56 UTC 2014

> -----Original Message-----
> From: Ben Laurie [mailto:benl at google.com]
> Sent: Tuesday, January 14, 2014 5:49 AM
> To: Gervase Markham
> Cc: Rick Andrews; Mads Egil Henriksveen; public at cabforum.org
> Subject: Re: [cabfpub] CT Precertificates and the BRs
> On 14 January 2014 10:04, Gervase Markham <gerv at mozilla.org> wrote:
> > On 14/01/14 04:41, Rick Andrews wrote:
> >> Ben, the poison extension only ensures it can't be used in SSL with
> >> modern browsers. We recently had to use the poison extension to
> >> create a BR-incompatible SSL cert for a non-browser app.
> >
> > Surely if the non-browser app in question understands what the
> "poison
> > extension" means, then it's not a poison extension any more, it's
> just a
> > critical extension that one app understands :-)
> Exactly, and no app should understand the CT poison extension.

Exactly, but my point is that there are non-browser applications out there that a) don't understand poison critical extensions, and b) don't fail on poison critical extensions that they don't understand. That's what allowed this SSL cert to work for our non-browser customer.

I'm trying to say that the poison extension is poison only to applications that correctly implement critical extension handling. There are probably even some very old browser versions that don't handle critical extensions properly. The poison extension isn't as watertight as we might like.


More information about the Public mailing list