Confirmed users, Administrators
5,526
edits
SecurityEngineering/mozpkix-testing: Difference between revisions
Jump to navigation
Jump to search
→Things for CAs to Fix
| Line 93: | Line 93: | ||
# Default values in a SEQUENCE must not be explicitly encoded. | # Default values in a SEQUENCE must not be explicitly encoded. | ||
#* [http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf ITU-T X.690] section 11.5: "The encoding of a set value or sequence value shall not include an encoding for any component value which is equal to its default value." | #* [http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf ITU-T X.690] section 11.5: "The encoding of a set value or sequence value shall not include an encoding for any component value which is equal to its default value." | ||
#* Note: We encountered certificates with a basicConstraints extension that explicitly encoded the default value cA:false. | #* Note: We encountered certificates with a basicConstraints extension that explicitly encoded the default value cA:false. The solution that we recommend is to not include the basicConstraints extension in end-entity certificates. | ||
#* Related Bugs: {{Bug|988633}}, {{Bug|989516}}, {{Bug|989518}} | #* Related Bugs: {{Bug|988633}}, {{Bug|989516}}, {{Bug|989518}} | ||
# Basic constraints: pathLenConstraint must not be included if cA is false | # Basic constraints: pathLenConstraint must not be included if cA is false | ||