Closed Bug 354628 Opened 19 years ago Closed 19 years ago

Certficate Import for Sub CAs sometimes fail

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: arundgren, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Self-signed root certificate: http://webpki.org/mozbug/root.cer Imported directly from browser Then I wanted to import the following sub CA the same way http://webpki.org/mozbug/cacert.cer Nothing happended Reproducible: Always Steps to Reproduce: See details Actual Results: Only the root is installed Expected Results: The path would be visible in the certificate viewer Works fine in MSIE Both certifaces have serial number 1 but since they belong to different parts of the path this is OK.
Both certs begin: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=Demo Root CA,O=webpki.org,C=US" IOW, both certs have same issuer name and serial number, but are not identical certs.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
(In reply to comment #1) > IOW, both certs have same issuer name and serial number, but are not > identical certs. The issue here is that the Mozilla cert-store does not appear to distinguish between self-signed certificates and "other" certficates. A self-signed certificate is by definition a CA and thus (like any other CA) has its own serial number space. RFC 3280 only requires issuer/serial number uniqness within a specific CA and does not have any opinion about other CAs. In addition, there are no requirements that distinguished names must be globlally unique. It is also important to keep in mind that trust-anchors in RFC 3280 sense are public keys rather than certificates. Wrapping a trust-anchor in a self-signed certificate should not change this notion.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Sorry, Anders. This bug is invalid. It isn't a democracy. This is mozilla's position. Has been for a decade.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.