SecurityEngineering/Removing Compatibility Workarounds in mozilla::pkix

From MozillaWiki
< SecurityEngineering
Revision as of 18:30, 28 October 2015 by Dkeeler (talk | contribs) (initial content)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Draft

In the process of implementing mozilla::pkix, a number of compatibility issues were encountered involving certificates that did not conform to the Baseline Requirements. To maintain interoperability, some workarounds were added to allow these malformed or improper certificates to validate successfully. However, to improve the state of the web PKI, these workarounds will be removed. As of Firefox 49, if a certificate has a notBefore time after 0:00 21 August 2016 and is affected by any of these workarounds (see below), it will not validate successfully. This document will track the implementation work necessary to remove those workarounds.

  • nsSGC in EKU, no serverAuth (bug 737802)
  • DER: default values explicitly encoded (bug 988633)
  • pathLenConstraint when cA:False (bug 982878)
  • use of subject CN for naming information
  • Non-PrintableString/UTF8String in DNs
  • nameConstraints/subjectAlternativeName encoding mismatches
Retrieved from "https://wiki.allizom.org/index.php?title=SecurityEngineering/Removing_Compatibility_Workarounds_in_mozilla::pkix&oldid=1103047"