Confirmed users, Administrators
5,526
edits
Line 73: | Line 73: | ||
= Things for CAs to Fix = | = Things for CAs to Fix = | ||
Workarounds were implemented to allow mozilla::pkix to handle the following situations. We will be asking CAs to immediately stop issuing new certificates with these issues, and we will identify dates for removing these workarounds. | Workarounds were implemented to allow mozilla::pkix to handle some of the following situations. We will be asking CAs to immediately stop issuing new certificates with these issues, and we will identify dates for removing these workarounds. | ||
# Stop using the "Netscape Server Gated Crypto (2.16.840.1.113730.4.1)" (SGC) EKU. For all new certificate issuance, use the "TLS Web Server Authentication (1.3.6.1.5.5.7.3.1)" EKU instead of the SGC EKU. | # Stop using the "Netscape Server Gated Crypto (2.16.840.1.113730.4.1)" (SGC) EKU. For all new certificate issuance, use the "TLS Web Server Authentication (1.3.6.1.5.5.7.3.1)" EKU instead of the SGC EKU. | ||
Line 87: | Line 87: | ||
# According to RFC 5280: "In conforming CA certificates, the value of the subject key identifier MUST be the value placed in the key identifier field of the authority key identifier extension (Section 4.2.1.1) of certificates issued by the subject of this certificate. Applications are not required to verify that key identifiers match when performing certification path validation." So, in mozilla::pkix we will not be checking this, but we would like to remind CAs that they are supposed to do this. | # According to RFC 5280: "In conforming CA certificates, the value of the subject key identifier MUST be the value placed in the key identifier field of the authority key identifier extension (Section 4.2.1.1) of certificates issued by the subject of this certificate. Applications are not required to verify that key identifiers match when performing certification path validation." So, in mozilla::pkix we will not be checking this, but we would like to remind CAs that they are supposed to do this. | ||
#* Related Bugs: {{Bug|991823}}, {{Bug|997917}} | #* Related Bugs: {{Bug|991823}}, {{Bug|997917}} | ||
# EV treatment will not be given when the OCSP response for the intermediate certificate is more than 10 days old. | |||
#* Related Bugs: {{Bug|991815}} | |||
== Future Considerations == | == Future Considerations == |