Open Bug 926260 Opened 11 years ago Updated 2 years ago

mozilla::pkix does not enforce name constraints on OCSP response signing certificates

Tracking

()

Status:

NEW

People

(Reporter: briansmith, Unassigned)

References

Details

(Whiteboard: [psm-backlog])

Brian Smith (:briansmith, :bsmith, use NEEDINFO?)

Reporter

Description

•

11 years ago

insanity::pkix checks name constraints by walking back from the root to the end-entity certificate. This works well enough for everything except OCSP response signing certificates. Basically, we need to walk forward from the OCSP response signing cert through its issuer chain and verify the name constraints match on the OCSP response signer.

This isn't a high priority, though, because the subject name and subjectAltName of an OCSP response signing certificate are not used for anything.

Brian Smith (:briansmith, :bsmith, use NEEDINFO?)

Reporter

Updated

•

11 years ago

Updated

•

11 years ago

Updated

•

10 years ago

Summary: insanity::pkix does not enforce name constraints on OCSP response signing certificates → mozilla::pkix does not enforce name constraints on OCSP response signing certificates

Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)

Updated

•

8 years ago

Whiteboard: [psm-backlog]

Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)

Updated

•

8 years ago

Priority: P4 → P3

BMO Automation

Updated

•

2 years ago

Severity: normal → S3

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

mozilla::pkix does not enforce name constraints on OCSP response signing certificates

Categories

(Core :: Security: PSM, defect, P3)

Tracking

()

People

(Reporter: briansmith, Unassigned)

References

Details

(Whiteboard: [psm-backlog])

Crash Data

Security

(public)

User Story

Description

Updated

Updated

Updated

Updated

Updated

Updated