Closed Bug 1169968 Opened 9 years ago Closed 7 years ago

Imposed name constraints should be associated with public keys, not (just) certificates

Categories

(Core :: Security: PSM, defect)

defect
Not set
normal

Tracking

()

RESOLVED INVALID
Tracking Status
firefox41 --- affected

People

(Reporter: briansmith, Unassigned)

Details

(Whiteboard: [psm-backlog])

Consider the case of the US FPKI bridge ("Super CA") certificate. They are willing (if not excited about) being name-constrained to *.mil and *.gov. However, if they were to be added[1], those name constraints wouldn't be effective, because they are cross-signed by another trusted CA. Such cross-signing shouldn't affect whether imposed name constraints are effective are not. One way to fix this would be to have mozilla::pkix's PathBuildingStep::Check ask the trust domain for name constraints given a public key as input, in addition to what it does now. [1] I understand that the US FPKI root has already been rejected. However, the specifics of that don't matter so much as far as this bug is concerned. It's just a convenient example.
Whiteboard: [psm-backlog]
Unless I'm misunderstanding, I don't think this is an issue. If a CA with imposed name constraints were cross-signed, path building will still traverse that CA (in the sense of "a certificate with a particular key and subject DN"), meaning we'll impose those name constraints (unless there's a completely different trusted hierarchy due to a cross-signed intermediate at a lower level, which this wouldn't address anyway).
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.