Closed
Bug 975877
Opened 11 years ago
Closed 9 years ago
Implement certificate policy constraints extension
Categories
(Core :: Security: PSM, defect, P5)
Core
Security: PSM
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: briansmith, Unassigned)
References
Details
+++ This bug was initially created as a clone of Bug #921886 +++
In bug 921886, we implemented certificate policy support by ignoring policy mapping (which is optional to support) and by always requiring explicit policy. Additionally, in CertVerifier, when we attempt to verify for a policy and fail, then we immediately retry to verify for any policy. Thus, the policy constraint extension would very little practical effect in Gecko if we were to implement it.
However, even if we don't expand our certificate policy support beyond what we currently have, it may still be useful to support the certificate policy extension so that we don't reject certificates that have marked this extension *critical*.
Not an insanity::pkix blocker because the classic NSS verification doesn't support the certificate policy constraint extension at all *and* AFAICT it doesn't correctly reject certificates where the extension is marked critical. So, with bug 921886 we'll already be more conformant (but perhaps less compatible--we'll see) than the classic NSS verification.
|
Reporter | |
Comment 1•11 years ago
|
||
The same applies to the "inhibit anyPolicy" extension.
Summary: Implement certificate policy constraints extension in insanity::pkix → Implement certificate policy constraints extension and inhibit anyPolicy extension in insanity::pkix
|
||
Updated•11 years ago
|
Summary: Implement certificate policy constraints extension and inhibit anyPolicy extension in insanity::pkix → Implement certificate policy constraints extension and inhibit anyPolicy extension in mozilla::pkix
|
|
Reporter | |
Comment 2•11 years ago
|
||
(In reply to Brian Smith (:briansmith, was :bsmith; NEEDINFO? for response) from comment #1)
> The same applies to the "inhibit anyPolicy" extension.
It turns out we need to implement "inhibit anyPolicy" so that we can process anyPolicy correctly in bug 986156, so I'm move the "inhibit anyPolicy" part of this bug to bug 986156.
Summary: Implement certificate policy constraints extension and inhibit anyPolicy extension in mozilla::pkix → Implement certificate policy constraints extension
|
|
Reporter | |
Comment 3•11 years ago
|
||
I guess we won't implement this until we find a real-world certificate that uses this, if ever.
Priority: -- → P5
|
|
||
Comment 4•9 years ago
|
||
It doesn't look like we've encountered any compatibility issues with not having implemented this, so I don't think we need to.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•