Confirmed users, Administrators
5,526
edits
SecurityEngineering/mozpkix-testing: Difference between revisions
Jump to navigation
Jump to search
m
SecurityEngineering/mozpkix-testing (view source)
Revision as of 22:50, 29 April 2014
, 29 April 2014→Behavior Changes
| Line 77: | Line 77: | ||
# Version 3 certificates used as trust anchors or intermediates are now required to have the basic constraints extention and assert the isCA bit. | # Version 3 certificates used as trust anchors or intermediates are now required to have the basic constraints extention and assert the isCA bit. | ||
# Mozilla::pkix performs chaining based on issuer name alone, and does not require that issuer's subject key match the authority key info (AKI) extension in the certificate. Classic verification enforces the AKI restriction. | # Mozilla::pkix performs chaining based on issuer name alone, and does not require that issuer's subject key match the authority key info (AKI) extension in the certificate. Classic verification enforces the AKI restriction. | ||
# | # A certificate will not be considered an EV certificate if mozilla::pkix cannot build a path to a trusted root that does not contain any certificates with the inhibitAnyPolicy extension. However, such certificates will still validate | ||
as non-EV as long as there are no non-policy-related issues. {{Bug|989051}} | |||
# End-entity certificates that contain the EKU extension are now required to assert the serverAuth bit. | # End-entity certificates that contain the EKU extension are now required to assert the serverAuth bit. | ||
# End-entity certificates are no longer allowed to include the OCSPSigning EKU. | # End-entity certificates are no longer allowed to include the OCSPSigning EKU. | ||