Closed
Bug 1169968
Opened 9 years ago
Closed 7 years ago
Imposed name constraints should be associated with public keys, not (just) certificates
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
INVALID
Tracking | Status | |
---|---|---|
firefox41 | --- | affected |
People
(Reporter: briansmith, Unassigned)
Details
(Whiteboard: [psm-backlog])
Consider the case of the US FPKI bridge ("Super CA") certificate. They are willing (if not excited about) being name-constrained to *.mil and *.gov. However, if they were to be added[1], those name constraints wouldn't be effective, because they are cross-signed by another trusted CA. Such cross-signing shouldn't affect whether imposed name constraints are effective are not.
One way to fix this would be to have mozilla::pkix's PathBuildingStep::Check ask the trust domain for name constraints given a public key as input, in addition to what it does now.
[1] I understand that the US FPKI root has already been rejected. However, the specifics of that don't matter so much as far as this bug is concerned. It's just a convenient example.
Updated•8 years ago
|
Whiteboard: [psm-backlog]
Comment 1•7 years ago
|
||
Unless I'm misunderstanding, I don't think this is an issue. If a CA with imposed name constraints were cross-signed, path building will still traverse that CA (in the sense of "a certificate with a particular key and subject DN"), meaning we'll impose those name constraints (unless there's a completely different trusted hierarchy due to a cross-signed intermediate at a lower level, which this wouldn't address anyway).
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•