Closed Bug 1016587 Opened 11 years ago Closed 8 years ago

Update CA Certificate Policy to allow CAs to create certificates with duplicate serial numbers for CT

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: kathleen.a.wilson)

Details

(Whiteboard: [ca-program] https://github.com/mozilla/pkipolicy/issues/41)

http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ "4. We reserve the right to not include a particular CA certificate in our software products. ... This also includes (but again is not limited to) cases where we believe that including a CA certificate (or setting its "trust bits" in a particular way) might cause technical problems with the operation of our software, for example, with CAs that issue certificates that have - ASN.1 DER encoding errors; - invalid public keys (e.g., RSA certificates with public exponent equal to 1); - duplicate issuer names and serial numbers;" The line "duplicate issuer names and serial numbers" will need to be updated to take CT into account. Suggestion: CT requires that the signed TBS certificate posted to the CT logs and the “real” cert have the same issuer, Serial number, keys, and most other data. It also has a “poison” extension which makes it unusable as an SSL certificate. It breaks a lot of the standard PKI rules, but it is a standard that CAs are following. You might want to add “…duplicate issuer names and serial numbers, except as permitted under CT;”
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Whiteboard: [ca-program] https://github.com/mozilla/pkipolicy/issues/41
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.