Open
Bug 926260
Opened 11 years ago
Updated 2 years ago
mozilla::pkix does not enforce name constraints on OCSP response signing certificates
Categories
(Core :: Security: PSM, defect, P3)
Core
Security: PSM
Tracking
()
NEW
People
(Reporter: briansmith, Unassigned)
References
Details
(Whiteboard: [psm-backlog])
insanity::pkix checks name constraints by walking back from the root to the end-entity certificate. This works well enough for everything except OCSP response signing certificates. Basically, we need to walk forward from the OCSP response signing cert through its issuer chain and verify the name constraints match on the OCSP response signer. This isn't a high priority, though, because the subject name and subjectAltName of an OCSP response signing certificate are not used for anything.
Updated•10 years ago
|
Summary: insanity::pkix does not enforce name constraints on OCSP response signing certificates → mozilla::pkix does not enforce name constraints on OCSP response signing certificates
Whiteboard: [psm-backlog]
Priority: P4 → P3
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•