Confirmed users, Administrators
5,526
edits
SecurityEngineering/mozpkix-testing: Difference between revisions
SecurityEngineering/mozpkix-testing (view source)
Revision as of 19:14, 31 March 2014
, 31 March 2014→Mozilla::pkix Bug list
| Line 52: | Line 52: | ||
* [https://bugzilla.mozilla.org/buglist.cgi?short_desc=mozilla%3A%3Apkix&resolution=---&query_format=advanced&short_desc_type=substring List OPEN mozilla::pkix bugs] | * [https://bugzilla.mozilla.org/buglist.cgi?short_desc=mozilla%3A%3Apkix&resolution=---&query_format=advanced&short_desc_type=substring List OPEN mozilla::pkix bugs] | ||
* [https://bugzilla.mozilla.org/buglist.cgi?short_desc=mozilla%3A%3Apkix&query_format=advanced&short_desc_type=substring List ALL mozilla::pkix bugs] | * [https://bugzilla.mozilla.org/buglist.cgi?short_desc=mozilla%3A%3Apkix&query_format=advanced&short_desc_type=substring List ALL mozilla::pkix bugs] | ||
= Things for CAs to Fix = | |||
Workarounds were implemented to allow mozilla::pkix to handle the following situations. However, we will be asking CAs to immediately stop issuing new certificates with these issues, and we will identify dates for removing these workarounds. | |||
# Stop using the "Netscape Server Gated Crypto (2.16.840.1.113730.4.1)" (SGC) EKU. For all new certificate issuance, use the "TLS Web Server Authentication (1.3.6.1.5.5.7.3.1)" EKU instead of the SGC EKU. | |||
#* Related Bugs: {{Bug|982292}}, {{Bug|982932}}, {{Bug|982936}} | |||
# Default values in a SEQUENCE must not be explicitly encoded. We found end-entity certificates that have the value cA:false explicitly encoded. | |||
#* 11.5 of X.690 - "The encoding of a set value or sequence value shall not include an encoding for any component value which is equal to its default value." | |||
#* Related Bugs: {{Bug|988633}}, {{Bug|989516}}, {{Bug|989518}} | |||
== Future Considerations == | |||
While testing mozilla::pkix, we noticed the following things that we would like to consider changing. | |||
# Consider only giving EV treatment when the intermediate and end-entity certs in the chain have the specific EV policy OID that we are expecting; in other words, don’t give EV treatment when the intermediate certificate has the anyPolicy OID. To make this change, would need to change the CAB Forum’s EV Guidelines to also require the EV policy OID in intermediate certs (section 9.3.4 says the subordinate CA certificate may contain anyPolicy OID 2.5.29.32.0). | |||
#* Related Bugs: {{Bug|986156}} | |||