377604 - certutil should take PQGParams from issuer's cert, if possible

Status: RESOLVED INACTIVE

(NSS :: Tools, enhancement, P5)

Description

[Nelson Bolyard (seldom reads bugmail)]

certutil has an option to read in a file of PQGParams and use that for 
the generation of the keypair in the CSR or cert being generated.

In a real world scenario, a user would not have a PQGParams file, but
rather would have the CA's cert, whose public key would contain the 
PQGParams that he should use in the generation of his own key.  

NSS's cert chain validation code (in NSS shared libraries) is smart enough
to go up the chain and get missing PQGParams from a parent certificate,
but certutil is not that smart.  

certutil has no way to specify the intended issuer's cert when generating a CSR.
So, there's no way for certutil to get the PQGParams from the issuer's cert
when generating a CSR.

certutil DOES have a way to specify the intended issuer's cert when generating
a new cert (when certutil is acting as the CA, issuing the new cert).  But 
even in this case, certutil does not take the PQGParameters for the new cert
from the issuer's cert.  

In both cases (generating a CSR, or issuing a cert), if the PQGParams are not
explicitly given in a PQGParams file, then certutil uses a compiled-in 
"default" set of PQGParams, rather than trying to get the real params from
the intended issuer cert.  

I think this is low priority.  DSA's lifetime ends in 2010.  It's not in 
widespread use now.  So, the priority is going to be on developing the new
technology to go forward, not in perfecting this essentially obsolete DSA 
technology.  I predict this bug will sit inactive for a while, then be 
resolved WONTFIX.