On Friday, December 9, 2016 at 1:43:27 AM UTC+2, Brian Smith wrote: > Some people claimed some software may be unable to cope with two > different CA certificates with the same subject DNs. Nobody claimed > that Firefox is unable to cope with two CA certificates having the > same subject DN. It should work fine in Firefox because Firefox will > attempt every CA cert it finds with the same DN.
Thanks a lot for clarifying this. > One caveat: If there are "too many" CA certificates with the same > subject DN, Firefox will spend a very long time searching through > them. This is a bug in Firefox that's already on file. We will maintains at most two generations of Root CA certificates with the same DN in Mozilla/firefox's trust list. I believe that we will not cause such kind of "too many" issue. > I'm unconvinced that it is worthwhile to add the Key Identifier stuff > just to accommodate this one public CA plus any private CAs that do > similarly. I think it's better to ask this CA to instead do things the > way all the other public CAs do (AFAIK). In other words, this is kind > of where the Web PKI diverges from PKIX. Believe me, now we really take consideration that in the next generation of our Government Root CA re-key, we might start to change CA DNs between generations, like what commercial CAs do. As I mentioned in my previous mail, we have a national LDAP tree and all entities, including the Government Root CA and all subordinate CAs, have been assigned their unique and permanent DNs. In the future, when our Government PKI starts to change CA DNs between generations, various Root CA nodes and Subordinate CA nodes will be generated in the national LDAP tree and application systems might get confused. This is one issue that we need to solve in the future. > However, the CA changing its practices could be done on a > going-forward basis; the existing instances shouldn't be problematic > and so I don't think they should be excluded on the basis of what they > already did. Thanks for this positive opinion. If our root CA will not cause problems to Mozilla NSS/Firefox, I really hope that Mozilla can accept our second generation Government Root CA certificate. Especially, Firefox users in Taiwan have already waited for a long time. Wen-Cheng Wang _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
