282370 - Add OID for PKIX_CA_ISSUERS

Status: RESOLVED FIXED

(NSS :: Libraries, enhancement, P2)

Description

[Martin v. Löwis]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7.5) Gecko/20050210 Firefox/1.0 (Debian package 1.0+dfsg.1-6)
Build Identifier: 

This patch adds the OID for 1.3.6.1.5.5.7.48.2, PKIX CA Issuers. This ID is
defined in RFC 2459.

It is not clear what OIDs can be added through "static" OID tags, rather than in
the application through SECOID_AddEntry. I think a policy is desirable, best
documented in secoidt.h before the enumeration. I would propose to allow all
OIDs into the file which are certificate-relevant and vendor-independent (e.g.
published in an RFC).

This specific OID is needed for bug Bug 259031, which tries to print the CA
Issuers AIA if present.

Reproducible: Always

Steps to Reproduce:

Comment 1

[Martin v. Löwis]

Attachment: Patch to add SEC_OID_ACCESS_DESCR_CA_ISSUERS

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

Taking bug.  I will review this patch.

Comment 3

[Nelson Bolyard (seldom reads bugmail)]

Comment on attachment 174392 [details] [diff] [review]
Patch to add SEC_OID_ACCESS_DESCR_CA_ISSUERS

r=nelson 
I think I might have preferred a somewhat shorter name than
SEC_OID_ACCESS_DESCR_CA_ISSUERS, perhaps something like SEC_OID_AIA_CA_ISSUERS,
but I'm not going to withhold r+ over such a nit.  i will plan to check this in
on Martin's behalf for 3.10.

Comment 4

[Wan-Teh Chang]

Comment on attachment 174392 [details] [diff] [review]
Patch to add SEC_OID_ACCESS_DESCR_CA_ISSUERS

Nelson,

If you want a shorter name, I suggest
SEC_OID_AD_CA_ISSUERS because this OID
is called id-ad-caIssuers in RFC 2459:

id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 }

Comment 5

[Martin v. Löwis]

Should I submit a new patch for the renamed constant? I personally don't care
too much what it is called, so SEC_OID_AD_CA_ISSUERS sounds fine.

Comment 6

[Wan-Teh Chang]

Attachment: Patch to add SEC_OID_PKIX_CA_ISSUERS

Martin, I took care of this for you.  After
reviewing the two files, I concluded that
SEC_OID_PKIX_CA_ISSUERS is the name that is
the most consistent with existing names.

Is PKIX 3 the nickname for RFC 2459?

Comment 7

[Martin v. Löwis]

I think I confused terminology. PKIX 3 apparently once was the nickname for
draft-ietf-pkix-ipki3cmp-0X.txt, which apparently became RFC 2510. So the
comment claiming that this is PKIX 3 should probably be removed/replaced with a
plain "PKIX" statement. BTW, RFC 2459 is now obsoleted by RFC 3280.

Comment 8

[Wan-Teh Chang]

Attachment: Patch to add SEC_OID_PKIX_CA_ISSUERS, v1.1

Changed "PKIX 3" to "More PKIX OIDs" in comments.

Comment 9

[Nelson Bolyard (seldom reads bugmail)]

Comment on attachment 175248 [details] [diff] [review]
Patch to add SEC_OID_PKIX_CA_ISSUERS, v1.1

Wan-Teh, since you're apparently ready to check this in, please "take" this bug
when you do so.  Thanks.

Comment 10

[Wan-Teh Chang]

Patch checked in on the trunk.

Note that I changed the description of this OID
to "PKIX CA issuers access method", from
"Authority issuers access path".

Checking in secoid.c;
/cvsroot/mozilla/security/nss/lib/util/secoid.c,v  <--  secoid.c
new revision: 1.29; previous revision: 1.28
done
Checking in secoidt.h;
/cvsroot/mozilla/security/nss/lib/util/secoidt.h,v  <--  secoidt.h
new revision: 1.17; previous revision: 1.16
done