Closed
Bug 926265
Opened 12 years ago
Closed 10 years ago
mozilla::pkix counts self-issued certificates in its enforcement of path length constraints
Categories
(Core :: Security: PSM, defect, P3)
Core
Security: PSM
Tracking
()
RESOLVED
INVALID
People
(Reporter: briansmith, Unassigned)
References
Details
(Keywords: regression)
+++ This bug was initially created as a clone of Bug #926263 +++
http://tools.ietf.org/html/rfc5280#section-6.1: "These self-issued certificates are not counted when evaluating path length or name constraints."
But we count them.
Not sure if/how this rule is actually used on the web. One consequence of this rule is that an intermediate certificate can effectively "clone" itself without the involvement of the issuing CA. This would mean that the issuing CA would no longer be able to use path length constraints to help enforce its rules on what types of keys are valid for intermediate CAs, amongst other things. For example, let's say that a CA wanted to enforce the rule that no sub-CA could have a key less than 2048 bits. If it were not for this rule and the similar one for name constraints, it could enforce that, but with these two rules, it cannot.
|
Reporter | |
Updated•12 years ago
|
|
||
Updated•11 years ago
|
Summary: insanity::pkix counts self-issued certificates in its enforcement of path length constraints → mozilla::pkix counts self-issued certificates in its enforcement of path length constraints
|
|
Reporter | |
Comment 1•10 years ago
|
||
Our experience shows that there are no servers that need this and our stricter-than-necessary enforcement is OK. It would thus be counterproductive to make the more complicated to support this. Thus -> INVALID.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•