Open Bug 997917 Opened 10 years ago Updated 1 month ago
Cert verification should allow mismatch of child cert's authority key id it's issuer subject key id
While investigating bug 991823 it was realized that nss enforces that the authority key id of a cert matches the issuers subject key id. While rfc says that conformant CA MUST ensure that it also states that matching is not recomended. I think that ismatches should be placed last in the list of potential issuers for classic and for libpkix the check could just be removed. Functions of interes in classic (filter_subject_certs_for_id) and in libpkix (pkix_CertSelector_Match_SubjKeyId)
No longer blocks: mozilla::pkix-CAs
You need to log in before you can comment on or make changes to this bug.