Closed Bug 926263 Opened 11 years ago Closed 8 years ago

mozilla::pkix rejects self-issued certificates that do not conform to issuers' name constraints

Categories

(Core :: Security: PSM, defect, P3)

defect

Tracking

()

RESOLVED WONTFIX

People

(Reporter: briansmith, Unassigned)

References

Details

(Keywords: regression)

RFC 5280 says that self-signed certificates should not be rejected due to name constraint violations. Not sure if/how this rule is actually used on the web. One consequence of this rule is that an intermediate certificate can effectively "clone" itself without the involvement of the issuing CA. This would mean that the issuing CA would no longer be able to use name constraints help enforce its rules on what types of keys are valid for intermediate CAs, amongst other things. For example, let's say that a CA wanted to enforce the rule that no sub-CA could have a key less than 2048 bits. If it were not for this rule and the similar one for path length constraints, it could enforce that, but with these two rules, it cannot.
Summary: insanity::pkix enforces rejects self-issued certificates that do not conform to issuers' name constraints → insanity::pkix rejects self-issued certificates that do not conform to issuers' name constraints
See Also: → 926265
Summary: insanity::pkix rejects self-issued certificates that do not conform to issuers' name constraints → mozilla::pkix rejects self-issued certificates that do not conform to issuers' name constraints
As far as I've seen, there aren't any compatibility issues with mozilla::pkix being too strict about this, so I think we should just not fix this.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.