SecurityEngineering/mozpkix-testing: Difference between revisions

Jump to navigation Jump to search

SecurityEngineering/mozpkix-testing (view source)

Revision as of 19:30, 7 May 2014

7 bytes added ,  7 May 2014
m
→‎Behavior Changes
Line 81: Line 81:
# Version 3 root and intermediate certificates are now required to have the basic constraints extension and assert the isCA bit.
# Version 3 root and intermediate certificates are now required to have the basic constraints extension and assert the isCA bit.
# Mozilla::pkix performs chaining based on issuer name alone, and does not require that issuer's subject key match the authority key info (AKI) extension in the certificate.   
# Mozilla::pkix performs chaining based on issuer name alone, and does not require that issuer's subject key match the authority key info (AKI) extension in the certificate.   
# If an intermediate certificate contains the EKU extension, and that intermediate certificate will be used to issue SSL/TLS certificates, then the EKU must include the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) bit or the Netscape Server Gated Crypto bit (support for NSGC is provided temporarily for backward compatibility). {{Bug|982292}}
# If a root or intermediate certificate contains the EKU extension, and that intermediate certificate will be used to issue SSL/TLS certificates, then the EKU must include the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) bit or the Netscape Server Gated Crypto bit (support for NSGC is provided temporarily for backward compatibility). {{Bug|982292}}


= Things for CAs to Fix =
= Things for CAs to Fix =
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/974508"

Navigation menu