Open Bug 997917 Opened 10 years ago Updated 5 months ago

Cert verification should allow mismatch of child cert's authority key id it's issuer subject key id

Categories

(NSS :: Libraries, defect, P5)

x86_64
Linux

Tracking

(Not tracked)

People

(Reporter: cviecco, Unassigned)

References

()

Details

While investigating bug 991823 it was realized that nss enforces that the authority key id of a cert matches the issuers subject key id. While rfc says that conformant CA MUST ensure that it also states that matching is not recomended.

I think that ismatches should be placed last in the list of potential issuers for classic and for libpkix the check could just be removed.

Functions of interes in classic (filter_subject_certs_for_id) and in libpkix (pkix_CertSelector_Match_SubjKeyId)
Severity: normal → S3
Severity: S3 → S4
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.