{"id":423,"date":"2014-04-28T09:04:54","date_gmt":"2014-04-28T17:04:54","guid":{"rendered":"http:\/\/unmitigatedrisk.com\/?p=423"},"modified":"2014-04-28T09:06:25","modified_gmt":"2014-04-28T17:06:25","slug":"must-staple-and-pki-js","status":"publish","type":"post","link":"https:\/\/unmitigatedrisk.com\/?p=423","title":{"rendered":"MUST STAPLE and PKI.js"},"content":{"rendered":"<p>The other day I did a post on how to create a <a href=\"ttp:\/\/unmitigatedrisk.com\/?p=417\">self-signed certificate using PKI.js<\/a>\u00a0in that sample we included a Basic Constraints extension but we could have also just as easily defined a custom or new certificate extension. For example thanks to #heartbleed folks are talking about MUST STAPLE again, this is an extension that was proposed several years ago that when present would indicate that clients should hard-fail instead of soft-fail with OCSP.<\/p>\n<p>This proposal is based on a generic concept of expressing a <a href=\"http:\/\/tools.ietf.org\/html\/draft-hallambaker-tlssecuritypolicy-03\">security policy within the certificate<\/a>. While the OIDs for this extension and the associated policy have not been defined yet one can easily construct a certificate using this extension with PKI.js:<\/p>\n<pre>\r\ncert_simpl.extensions.push(new org.pkijs.simpl.EXTENSION({\r\n    extnID: \"1.2.3\", \/\/ No OIDs assigned yet\r\n    critical: false,\r\n    extnValue: (new org.pkijs.asn1.SEQUENCE({\r\n        value: [\r\n                   new org.pkijs.asn1.INTEGER({ value: 4 }),\r\n                   new org.pkijs.asn1.INTEGER({ value: 5 }),\r\n                   new org.pkijs.asn1.INTEGER({ value: 6 })\r\n               ]\r\n               })).toBER(false)\r\n}));\r\n<\/pre>\n<p><em><strong>NOTE<\/strong>: In the above snip-it we just made up two OID values, hopefully IANA will assign OIDs soon\u00a0so it is possible for browsers and CAs to implement this extension formally.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The other day I did a post on how to create a self-signed certificate using PKI.js\u00a0in that sample we included a Basic Constraints extension but we could have also just as easily defined a custom or new certificate extension. For example thanks to #heartbleed folks are talking about MUST STAPLE again, this is an extension [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1],"tags":[118,25,120],"class_list":["post-423","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-javascript","tag-ocsp","tag-pki-js"],"_links":{"self":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts\/423","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=423"}],"version-history":[{"count":0,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts\/423\/revisions"}],"wp:attachment":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=423"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=423"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=423"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}