On 09/06/17 11:29, Rob Stradling wrote: > These two certs share the same Name and Key. Therefore, the signature > on the first can be verified by the public key in the second; and vice > versa. And clearly the Subject Name in each one matches the Issuer Name > in the other. This means that the first chains to the second, and also > that the second chains to the first.
And a certificate issued by either can chain to either? Do we have any idea what NSS does with a cert like https://crt.sh/?id=149444544 when it's presented in a bundle by a webserver which includes an EE cert which chains up to https://crt.sh/?id=12977063 ? It seems like one potential (if perhaps never build path) might be: EE -> 149444544 -> 149444544 -> 149444544 ... -> 149444544 -> 12977063 ? I sort of seem to remember Brian or someone saying that mozilla::pkix ignores self-issued certificates, but I'd like to have a definitive word. > The policy says: > "All certificates that are capable of being used to issue new > certificates, and which directly or transitively chain to a certificate > included in Mozilla's CA Certificate Program, MUST be operated in > accordance with this policy and MUST either be technically constrained > or be publicly disclosed and audited." How would you reword the policy to exclude self-issued certificates? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy