On August 10, 2017 at 9:44:01 PM, Jakob Bohm via dev-security-policy ( dev-security-policy@lists.mozilla.org) wrote:
On 11/08/2017 00:29, Jonathan Rudenberg wrote: > >> On Aug 10, 2017, at 17:04, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: >> >> Can anyone point out a real world X.509 framework that gets confused by >> a redundant pathlen:0 in a CA:FALSE certificate? (Merely to assess the >> seriousness of the issue, given that the certificate was already >> revoked). > > Yes, the cryptography Python package: https://github.com/pyca/cryptography/issues/3856 > Reading that issue, the text in comment #0 is unclear. Does the python code reject such certificates, or somehow skip extensions and declaring possibly invalid uses to be valid? As of the current release pyca/cryptography raises an exception during parsing for certificates that contain a pathLength and are CA:FALSE. This immediately halts parsing and prevents the user from viewing any extensions. -Paul _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy