MozillaWiki

SecurityEngineering/mozpkix-testing: Difference between revisions

Page Discussion

SecurityEngineering/mozpkix-testing (view source)

Revision as of 18:20, 7 May 2014

311 bytes removed ,  7 May 2014
m
→‎Behavior Changes
Line 78: Line 78:
# Version 3 certificates used as trust anchors or intermediates are now required to have the basic constraints extention and assert the isCA bit.
# Version 3 certificates used as trust anchors or intermediates are now required to have the basic constraints extention and assert the isCA bit.
# Mozilla::pkix performs chaining based on issuer name alone, and does not require that issuer's subject key match the authority key info (AKI) extension in the certificate.  Classic verification enforces the AKI restriction.
# Mozilla::pkix performs chaining based on issuer name alone, and does not require that issuer's subject key match the authority key info (AKI) extension in the certificate.  Classic verification enforces the AKI restriction.
# A certificate will not be considered an EV certificate if mozilla::pkix cannot build a path to a trusted root that does not contain any certificates with the inhibitAnyPolicy extension. However, such certificates will still validate as non-EV as long as there are no non-policy-related issues. {{Bug|989051}}
# End-entity certificates that contain the EKU extension are now required to assert the serverAuth bit.
# End-entity certificates that contain the EKU extension are now required to assert the serverAuth bit.
# End-entity certificates are no longer allowed to include the OCSPSigning EKU.
# End-entity certificates are no longer allowed to include the OCSPSigning EKU.
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/974481"