CA:MaintenanceAndEnforcement: Difference between revisions

Jump to navigation Jump to search

CA:MaintenanceAndEnforcement (view source)

Revision as of 00:24, 6 November 2012

5 bytes added ,  6 November 2012
m
→‎Concerns
Line 139: Line 139:
The current way to actively distrust a certificate has the following problems.
The current way to actively distrust a certificate has the following problems.


* If the certificate to be distrusted is cross-signed by another certificate in NSS, then the serialNumber/Issuer for that certificate chain also has to be distrusted. This is error-prone, even if we ask every CA in Mozilla's program if they have cross-signed with the certificate to be distrusted.
* If the certificate to be distrusted is cross-signed by another certificate in NSS, then the Serial Number and Issuer for that certificate chain also has to be distrusted. This is error-prone, even if we ask every CA in Mozilla's program if they have cross-signed with the certificate to be distrusted.
** Possible Scenario: A cross-signing relationship is overlooked, so the malicious certificate continues to be trusted even after the security update.
** Possible Scenario: A cross-signing relationship is overlooked, so the malicious certificate continues to be trusted even after the security update.
** Possible Solution: {{Bug|808839}} - Ability to Actively Distrust all certs with a particular Subject.
** Possible Solution: {{Bug|808839}} - Ability to Actively Distrust all certs with a particular Subject.
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/485127"

Navigation menu