Closed Bug 232738 Opened 20 years ago Closed 20 years ago
PKITS test 4
.7 .5 fails, NSS ignores non-critical Key Usage extensions
RFC 3280 says that implementations MUST honor Key Usage extensions, whether or not they are critical. NSS ignores non-critical Key Usage extensions, and so fails PKITS test 4.7.5. Patch forthcoming.
With this patch, NSS will no longer ignore non-critical key usage extensions. It is POSSIBLE that some web sites and some email certs will stop working, because they have key usage extensions in their CA certs that say that their CA certs cannot be used for the purposes for which they use them. Those formerly worked, because NSS ignored the non-critical key usage extension. Now, when NSS enforces it, users whose certs never should have worked will stop working. But it's the right thing to do.
Adding potential reviewers to CC list
Status: NEW → ASSIGNED
Comment on attachment 140306 [details] [diff] [review] patch v1 Please review this patch after reading the bug comments. Thanks.
Attachment #140306 - Flags: review?(jpierre)
/cvsroot/mozilla/security/nss/lib/certdb/certv3.c,v <-- certv3.c new revision: 1.7; previous revision: 1.6
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Priority: -- → P2
Resolution: --- → FIXED
Target Milestone: --- → 3.10
You need to log in before you can comment on or make changes to this bug.