Open
Bug 470926
Opened 16 years ago
Updated 2 years ago
Implement more stringent EV certificate checks in PSM
Categories
(Core :: Security: PSM, defect, P3)
Core
Security: PSM
Tracking
()
NEW
People
(Reporter: mozbgz, Unassigned)
References
(Depends on 1 open bug)
Details
(Whiteboard: [psm-padlock][psm-backlog])
Attachments
(1 file)
|
1.13 KB,
application/pkix-cert
|
Details |
(as requested by Gavin in bug 455334 comment 30)
Currently, PSM only validates the policy OID when determining whether a server cert should be shown with the EV UI indicators (STATE_IDENTITY_EV_TOPLEVEL). Bug 466488, however, has demonstrated that CAs might also issue certs which include an EV policy OID but do not meet mandatory requirements (such as a countryName attribute in the subject DN).
This basically means that in addition to policy validation, PSM should also enforce other mandatory EV requirements before treating a cert as EV - otherwise that cert should be downgraded to STATE_SECURE_HIGH. In particular, the following requirements are relevant:
- subject naming (EV Guidelines section 6)
- maximum validity period (EV Guidelines section 8)
- other technical requirements (EV Guidelines appendix A and B),
such as minimum key sizes and required extensions
nsNSSCertificate::GetIsExtendedValidation() - in nsIdentityChecking.cpp - seems like the most appropriate place for adding these checks. Many requirements apply to end-entity certificates, but those for CA certs (root or issuing CAs) also need to be considered.
|
||
Comment 1•16 years ago
|
||
Thanks for filing this, Kaspar.
|
||
Comment 2•16 years ago
|
||
Johnathan,
Please impart to this bug a ranking of its severity with respect to FF 3.5.
|
|
||
Comment 3•16 years ago
|
||
This has no patch, does not represent a regression (but rather, increased vigilance) and while it would be very nice to have, it should not block the release of FF3.5. The best way to make progress here, I believe, is to get a patch together and reviewed for mozilla-central, at which point we can request approval for FF3.5/Gecko1.9.1. There is still time to do that, but I think this is an opportunistic win ("if a patch is available, let's take it"), not a blocker ("someone must produce a patch before we ship 3.5"). We are sufficiently far along in the 3.5 release cycle that no mid-way priorities exist. Please let me know if you disagree.
|
|
||
Comment 4•16 years ago
|
||
Johnathan,
Thank you for your answer.
I have no opinion on this. I merely wondered if you are growing alarmed
at the lack of a patch for this bug, and whether you had communicated that.
But it sounds like the answer is: no, you're not alarmed, and this is seen
merely as "nice to have".
|
||
Updated•15 years ago
|
Assignee: kaie → nobody
Whiteboard: [psm-padlock]
|
||
Updated•9 years ago
|
Whiteboard: [psm-padlock] → [psm-padlock][psm-backlog]
|
|
||
Updated•7 years ago
|
Priority: -- → P3
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•