Open Bug 989518 Opened 6 years ago Updated 3 years ago

mozilla::pkix: do not accept improper encodings of basicConstraints:cA


(Core :: Security: PSM, defect, P3)





(Reporter: keeler, Unassigned)


(Blocks 1 open bug)


(Whiteboard: [psm-backlog])

Apparently some CAs need to explicitly set the basic constraint for cA:false in end-entity certs for compatibility with other applications.
The only reference I could find is that this was implemented to protect buggy browsers (IE 6 being the newest!):

Is there any current software relying on that behavior or software enforcing that behavior?
Good question, that I don't know the answer to.

I think we'll have to do telemetry on this.
Doesn't look like it - that refers to an old bug that was fixed a long time ago (and doesn't involve the encoding of the basic constraints extension, but rather whether or not the code checked for its presence altogether).
Whiteboard: [psm-backlog]
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.