mozilla::pkix: do not accept improper encodings of basicConstraints:cA

NEW
Unassigned

Status

()

defect
P3
normal
5 years ago
2 years ago

People

(Reporter: keeler, Unassigned)

Tracking

(Blocks 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [psm-backlog])

Comment 1

5 years ago
Apparently some CAs need to explicitly set the basic constraint for cA:false in end-entity certs for compatibility with other applications.

Comment 2

5 years ago
The only reference I could find is that this was implemented to protect buggy browsers (IE 6 being the newest!):

http://www.thoughtcrime.org/ie-ssl-chain.txt

Is there any current software relying on that behavior or software enforcing that behavior?

Comment 3

5 years ago
Good question, that I don't know the answer to.

I think we'll have to do telemetry on this.
Doesn't look like it - that refers to an old bug that was fixed a long time ago (and doesn't involve the encoding of the basic constraints extension, but rather whether or not the code checked for its presence altogether).
Whiteboard: [psm-backlog]
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.