在 2019年4月10日星期三 UTC+8下午2:55:50,Lijun Liao写道:
> Let us consider the case that the CA unsets the critical flag unintendedly,
> e.g. using the default configuration. Which means there are no explizit
> reasons. Is it required that the CA to create an incident report to mozilla?
>
> On Tue, 9 Apr
On Wed, Apr 10, 2019 at 12:23 PM Wayne Thayer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> I'm either confused, or I disagree. We're talking about a certificate that
> deviates from a "SHOULD" in RFC 5280, correct? Our guidance on incidents
> [1] defines misissuance,
I'm either confused, or I disagree. We're talking about a certificate that
deviates from a "SHOULD" in RFC 5280, correct? Our guidance on incidents
[1] defines misissuance, in part, as "RFC non-compliant". The certificate
as described strictly complies with RFC 5280 (and presumably all other
On Wed, Apr 10, 2019 at 08:55:27AM +0200, Lijun Liao via dev-security-policy
wrote:
> Let us consider the case that the CA unsets the critical flag unintendedly,
> e.g. using the default configuration. Which means there are no explizit
> reasons. Is it required that the CA to create an incident
Let us consider the case that the CA unsets the critical flag unintendedly,
e.g. using the default configuration. Which means there are no explizit
reasons. Is it required that the CA to create an incident report to mozilla?
On Tue, 9 Apr 2019, 19:14 Ryan Sleevi wrote:
>
>
> On Tue, Apr 9, 2019
On Tue, Apr 9, 2019 at 10:39 AM Lijun Liao wrote:
> Just makes it clear: The extension KeyUsage is optional in subscriber's
> certificate. But what happens if it is present and is NOT critical?
>
RFC 5280 says SHOULD, not MUST. RFC 2119 defines SHOULD as:
3. SHOULD This word, or the
Just makes it clear: The extension KeyUsage is optional in subscriber's
certificate. But what happens if it is present and is NOT critical?
On Tue, 9 Apr 2019, 16:29 Ryan Sleevi wrote:
> 1. Open
> https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.4.pdf
> 2. Search for "KeyUsage"
>
1. Open
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.4.pdf
2. Search for "KeyUsage"
- 11 occurrences
#1
7.1.2.1 Root CA Certificate
b. keyUsage
This extension MUST be present and MUST be marked critical ...
#3
7.1.2.2 Subordinate CA Certificate
e. keyUsage
This
The extension KeyUsage in subscriber's certificate SHOULD be marked as
critical as in RFC 5280. What if it is not set? Does this violate the
Baseline Requirements or any rules used by Mozilla Security Policy?
Best regards
Lijun
___
dev-security-policy
9 matches
Mail list logo
