Confirmed users, Administrators
5,526
edits
CA:MaintenanceAndEnforcement: Difference between revisions
m
→Concerns
m (→Concerns) |
|||
| Line 136: | Line 136: | ||
= Concerns = | = Concerns = | ||
* Certs with weak RSA keys or insufficient key usage can be used maliciously until we implement {{Bug|360126}} and {{Bug|725351}}. | * Certs that have been mistakenly issued with weak RSA keys or insufficient key usage can be used maliciously until we implement {{Bug|360126}} and {{Bug|725351}}. | ||
* If the certificate to be distrusted is cross-signed by another certificate in NSS, then the Serial Number and Issuer for that certificate chain also has to be distrusted. This is error-prone, even if we ask every CA in Mozilla's program if they have cross-signed with the certificate to be distrusted. | * If the certificate to be distrusted is cross-signed by another certificate in NSS, then the Serial Number and Issuer for that certificate chain also has to be distrusted. This is error-prone, even if we ask every CA in Mozilla's program if they have cross-signed with the certificate to be distrusted. | ||
** Possible Scenario: A cross-signing relationship is overlooked, so the malicious certificate continues to be trusted even after the security update. | ** Possible Scenario: A cross-signing relationship is overlooked, so the malicious certificate continues to be trusted even after the security update. | ||