Open Bug 997917 Opened 10 years ago Updated 1 month ago

Cert verification should allow mismatch of child cert's authority key id it's issuer subject key id

Tracking

(Not tracked)

Status:

NEW

People

(Reporter: cviecco, Unassigned)

References

(
URL
)

Details

Camilo Viecco (:cviecco)

Reporter

Description

•

10 years ago

While investigating bug 991823 it was realized that nss enforces that the authority key id of a cert matches the issuers subject key id. While rfc says that conformant CA MUST ensure that it also states that matching is not recomended.

I think that ismatches should be placed last in the list of potential issuers for classic and for libpkix the check could just be removed.

Functions of interes in classic (filter_subject_certs_for_id) and in libpkix (pkix_CertSelector_Match_SubjKeyId)

Brian Smith (:briansmith, :bsmith, use NEEDINFO?)

Comment 1

•

10 years ago

Test site: https://ssltest24.bbtest.net/

URL: https://ssltest24.bbtest.net/

Brian Smith (:briansmith, :bsmith, use NEEDINFO?)

Updated

•

10 years ago

Updated

•

10 years ago

Blocks: mozilla::pkix-CAs

Brian Smith (:briansmith, :bsmith, use NEEDINFO?)

Updated

•

9 years ago

No longer blocks: mozilla::pkix-CAs

BMO Automation

Updated

•

1 year ago

Severity: normal → S3

Benjamin Beurdouche [:beurdouche]

Updated

•

1 month ago

Severity: S3 → S4

Priority: -- → P5

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Cert verification should allow mismatch of child cert's authority key id it's issuer subject key id

Categories

(NSS :: Libraries, defect, P5)

Tracking

(Not tracked)

People

(Reporter: cviecco, Unassigned)

References

(
URL
)

Details

Crash Data

Security

(public)

User Story

Description

Comment 1

Updated

Updated

Updated

Updated

Updated