Closed Bug 356108 Opened 18 years ago Closed 1 year ago

CERT_CheckCertUsage implicitly sets KU_NON_REPUDIATION

Categories

(NSS :: Libraries, defect, P5)

Product:
NSS
Component:
Libraries
Version:
3.11.3
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INACTIVE

People

(Reporter: KaiE, Unassigned)

Details

Given a cert which does not have a key usage extension at all. Check usage KU_NON_REPUDIATION with a call to: CERT_CheckCertUsage(cert, KU_NON_REPUDIATION) This returns "success". Bob Relyea said, this is probably a bug. It seems we do NOT want implicit KU_NON_REPUDIATION.
In general, cert extensions serve to LIMIT or RESTRICT the uses of the cert. A cert with the fewest extensions is the least restricted, not the most restricted. A Key Usage extension servers to limit the usages of the key. In the absence of the extension... The same generally applies to EKU. But there are exceptions to this rule for EKUs. Some EKU OIDs (Gov't approved, object signing) default to disallowed when no EKU is present. I guess we need to specify default settings for each of the KU bits, and each of the known EKU OIDs.
(Any update on this bug ? Would it be wanted for Gecko 1.9 ?)
I think the current behaviour is correct. A certificate that doesn't have the keyUsage extension set doesn't restrict its usage and can be used for any purpose. Does this cause a problem?
I wish PKI was as simple as I thought it was when I wrote comment 1. The sad truth is that for each individual key usage bit and extended key usage OID, there is a default condition which applies when the cert has no KU or EKU extension. For nearly ALL such KU bits and EKU OIDs, the default condition is that, in the absence of a KU or EKU extension, the cert is not restricted with respect to those usages / extended usages. But there are exceptions. There are some usages that are ONLY granted when they explicitly appear in a KU or EKU extension, and are never granted by default. An example of this is the extended key usage id-kp-OCSPSigning defined in RFC 2560. And, in many countries, the same is true with the NR KU. If it isn't explicitly granted, the cert doesn't have it. It would be grand if this was universally true in all countries, but nothing about NR seems to be universally true in all countries. :(
Severity: normal → S3
Severity: S3 → S4
Status: NEW → RESOLVED
Closed: 1 year ago
Priority: -- → P5
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.