SecurityEngineering/mozpkix-testing: Difference between revisions

Jump to navigation Jump to search

SecurityEngineering/mozpkix-testing (view source)

Revision as of 17:37, 6 May 2014

47 bytes added ,  6 May 2014
m
→‎Things for CAs to Fix
Line 99: Line 99:
# According to RFC 5280: "In conforming CA certificates, the value of the subject key identifier MUST be the value placed in the key identifier field of the authority key identifier extension (Section 4.2.1.1) of certificates issued by the subject of this certificate. Applications are not required to verify that key identifiers match when performing certification path validation." So, in mozilla::pkix we will not be checking this, but we would like to remind CAs that they are supposed to do this.
# According to RFC 5280: "In conforming CA certificates, the value of the subject key identifier MUST be the value placed in the key identifier field of the authority key identifier extension (Section 4.2.1.1) of certificates issued by the subject of this certificate. Applications are not required to verify that key identifiers match when performing certification path validation." So, in mozilla::pkix we will not be checking this, but we would like to remind CAs that they are supposed to do this.
#* Related Bugs: {{Bug|991823}}, {{Bug|997917}}
#* Related Bugs: {{Bug|991823}}, {{Bug|997917}}
# For both intermediate and end-entity certificates, OCSP responses must have a maximum expiration time of ten days. {{Bug|991815#c13}}
# OCSP responses must have a maximum expiration time of ten days. This applies to OCSP responses for intermediate certificates as well as end-entity certificates,  {{Bug|991815#c13}}


== Future Considerations ==
== Future Considerations ==
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/973855"

Navigation menu