SecurityEngineering/Removing Compatibility Workarounds in mozilla::pkix: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(fill in DN-related sections)
(update date)
Line 3: Line 3:
-----
-----


In the process of implementing mozilla::pkix, a number of compatibility issues were encountered involving certificates that did not conform to the Baseline Requirements. To maintain interoperability, some workarounds were added to allow these malformed or improper certificates to validate successfully. However, to improve the state of the web PKI, these workarounds will be removed. As of Firefox 49, if a certificate has a notBefore time after 0:00 21 August 2016 and is affected by any of these workarounds (see below), it will not validate successfully. This document will track the implementation work necessary to remove those workarounds.
In the process of implementing mozilla::pkix, a number of compatibility issues were encountered involving certificates that did not conform to the Baseline Requirements. To maintain interoperability, some workarounds were added to allow these malformed or improper certificates to validate successfully. However, to improve the state of the web PKI, these workarounds will be removed. As of Firefox 49, if a certificate has a notBefore time after 0:00 23 August 2016 and is affected by any of these workarounds (see below), it will not validate successfully. This document will track the implementation work necessary to remove those workarounds.


* id-Netscape-stepUp in Extended Key Usage extension instead of id-kp-serverAuth
* id-Netscape-stepUp in Extended Key Usage extension instead of id-kp-serverAuth

Revision as of 18:21, 2 November 2015

Draft

In the process of implementing mozilla::pkix, a number of compatibility issues were encountered involving certificates that did not conform to the Baseline Requirements. To maintain interoperability, some workarounds were added to allow these malformed or improper certificates to validate successfully. However, to improve the state of the web PKI, these workarounds will be removed. As of Firefox 49, if a certificate has a notBefore time after 0:00 23 August 2016 and is affected by any of these workarounds (see below), it will not validate successfully. This document will track the implementation work necessary to remove those workarounds.

  • id-Netscape-stepUp in Extended Key Usage extension instead of id-kp-serverAuth
    • Workaround introduced in bug 1006041
    • Workaround to be removed in bug 982932
    • Code affected: CheckIssuerIndependentProperties -> CheckExtendedKeyUsage -> MatchEKU (pkixcheck.cpp)
    • Expected difficulty: easy
  • DER: default value of OPTIONAL BOOLEAN explicitly encoded
    • Workaround introduced in bug 989516 for Basic Constraints (cA field)
    • Workaround introduced in bug 1060929 for Extension (critical field)
    • Workaround to be removed in bug 989518
    • Code affected: pkixcheck.cpp, pkixder.h, pkixcert.cpp, pkixocsp.cpp
    • Expected difficulty: difficult
  • DER: pathLenConstraint included when cA:False
    • Workaround introduced in bug 985021
    • Workaround to be removed in bug 985025
    • Code affected: CheckIssuerIndependentProperties -> CheckBasicConstraints (pkixcheck.cpp)
    • Expected difficulty: easy
  • use of subject CN for naming information
    • Workaround introduced in bug 1063281
    • Workaround to be removed in (tbd)
    • Code affected: pkixnames.cpp
    • Expected difficulty: moderate
  • Non-PrintableString/UTF8String in DNs
    • Workaround introduced in bug 1089104
    • Workaround to be removed in (tbd)
    • Code affected: pkixnames.cpp
    • Expected difficulty: moderate
  • nameConstraints/subjectAlternativeName encoding mismatches
    • Workaround introduced in bug 1150114
    • Workaround to be removed in (tbd)
    • Code affected: pkixnames.cpp
    • Expected difficulty: moderate
Retrieved from "https://wiki.allizom.org/index.php?title=SecurityEngineering/Removing_Compatibility_Workarounds_in_mozilla::pkix&oldid=1103741"