Globus: GSI v2.0: X509 Certificate Critical Extension Handling Currently, as of the 2.0 release of the GSI, only the following critical extensions are handled:
In 1.1.x releases of the GSI, critical extensions other than the ones listed above were ignored. Starting with 2.0, if an unrecognized critical extension was found, the code returns an error. The one action that the GSI libraries do take in regards to critical extensions is in regards to the keyCertSign bit in the keyUsage extension. If, when checking a proxy certificate, the OpenSSL code returns an error because the signing user certificate has the keyCertSign bit set to false, the GSI library will cause this error to be ignored.
|