Open Bug 989518 Opened 6 years ago Updated 3 years ago

mozilla::pkix: do not accept improper encodings of basicConstraints:cA

Categories

(Core :: Security: PSM, defect, P3)

defect

Tracking

()

People

(Reporter: keeler, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [psm-backlog])

Apparently some CAs need to explicitly set the basic constraint for cA:false in end-entity certs for compatibility with other applications.
The only reference I could find is that this was implemented to protect buggy browsers (IE 6 being the newest!):

http://www.thoughtcrime.org/ie-ssl-chain.txt

Is there any current software relying on that behavior or software enforcing that behavior?
Good question, that I don't know the answer to.

I think we'll have to do telemetry on this.
Doesn't look like it - that refers to an old bug that was fixed a long time ago (and doesn't involve the encoding of the basic constraints extension, but rather whether or not the code checked for its presence altogether).
Whiteboard: [psm-backlog]
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.