Le vendredi 25 avril 2014 13:46:51 UTC+2, Martin Paljak a écrit : > On Thu, Apr 24, 2014 at 9:07 PM, Kathleen Wilson <kwil...@mozilla.com> wrote: > > Also, we added a section to the wiki page to list some behavior changes that > > could cause a website certificate to no longer validate with Firefox 31. > > https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Behavior_Changes > > What is the rationale for this: > > 4. Mozilla::pkix performs chaining based on issuer name alone, and > does not require that issuer's subject key match the authority key > info (AKI) extension in the certificate. Classic verification enforces > the AKI restriction.
AKI is only a helper for certificate path building. It's mandatory for CAs to issue certificates with matching keyIdentifiers (issued.AKI.keyIdentifier = issuer.SKI), but it's not mandatory for relying parties to verify that the values match. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto