Open
Bug 279845
Opened 20 years ago
Updated 2 years ago
NSS doesn't support anyExtendedKeyUsage EKU
Categories
(NSS :: Libraries, enhancement, P3)
NSS
Libraries
Tracking
(Not tracked)
NEW
People
(Reporter: nelson, Unassigned)
References
Details
RFC 3280 defines this OID, to be used in an Extended Key Usage extension:
anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
It is not allowed when the EKU extension is marked critical.
Otherwise, it matches all known types of EKUs. It's a wildcard EKU.
NSS doesn't support it. It should.
|
Reporter | |
Updated•20 years ago
|
Summary: NSS doesn't support → NSS doesn't support anyExtendedKeyUsage EKU
|
|
Reporter | |
Updated•20 years ago
|
QA Contact: bishakhabanerjee → jason.m.reid
|
|
Reporter | |
Updated•19 years ago
|
Assignee: wtchang → nobody
QA Contact: jason.m.reid → libraries
|
|
Reporter | |
Updated•18 years ago
|
Priority: -- → P3
|
||
Comment 2•11 years ago
|
||
(In reply to Nelson Bolyard (seldom reads bugmail) from comment #0)
> It is not allowed when the EKU extension is marked critical.
http://tools.ietf.org/html/rfc5280#section-4.2.1.12 says:
"Conforming CAs SHOULD NOT mark this extension as critical if the anyExtendedKeyUsage KeyPurposeId is present."
So, a critical EKU *may* contain anyExtendedKeyUsage, and we should still match all EKUs except...
> Otherwise, it matches all known types of EKUs. It's a wildcard EKU.
We have to make sure that we don't consider anyExtendedKeyUsage to be a match for id-kp-OCSPSigning.
Note that it may be important to add support for anyExtendedKeyUsage to be able to do bug 725351 properly, so I'm adding the dependency so we can have that conversation.
Or, perhaps we don't need to ever support anyExtendedKeyUsage. If we've gotten this far without it, that's pretty good evidence that it isn't important.
|
|
||
Comment 3•11 years ago
|
||
(In reply to Brian Smith (:briansmith, was :bsmith; NEEDINFO? for response) from comment #2)
> Note that it may be important to add support for anyExtendedKeyUsage to be
> able to do bug 725351 properly, so I'm adding the dependency so we can have
> that conversation.
After implementing nested EKU enforcement, anyExtendedKeyUsage support doens't seem to be necessary for it to work.
> Or, perhaps we don't need to ever support anyExtendedKeyUsage. If we've
> gotten this far without it, that's pretty good evidence that it isn't
> important.
I'm now leaning towards this. See bug 968817, specifically bug 968817 comment 3.
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•