Confirmed users, Administrators
5,526
edits
SecurityEngineering/mozpkix-testing: Difference between revisions
SecurityEngineering/mozpkix-testing (view source)
Revision as of 18:29, 22 April 2014
, 22 April 2014→Things for CAs to Fix
| Line 83: | Line 83: | ||
#* RFC 5280 section 4.2.1.9: "CAs MUST NOT include the pathLenConstraint field unless the cA boolean is asserted and the key usage extension asserts the keyCertSign bit." | #* RFC 5280 section 4.2.1.9: "CAs MUST NOT include the pathLenConstraint field unless the cA boolean is asserted and the key usage extension asserts the keyCertSign bit." | ||
#* Related Bugs: {{Bug|982878}}, {{Bug|985021}}, {{Bug|985025}} | #* Related Bugs: {{Bug|982878}}, {{Bug|985021}}, {{Bug|985025}} | ||
# According to RFC 5280: "In conforming CA certificates, the value of the subject key identifier MUST be the value placed in the key identifier field of the authority key identifier extension (Section 4.2.1.1) of certificates issued by the subject of this certificate. Applications are not required to verify that key identifiers match when performing certification path validation." So, in mozilla::pkix we will not be checking this, but we would like to remind CAs that they are supposed to do this. | |||
#* Related Bugs: {{Bug|991823}}, {{Bug|997917}} | |||
== Future Considerations == | == Future Considerations == | ||