On Tue, May 13, 2014 at 6:01 PM, Peter Bowen <pzbo...@gmail.com> wrote:
> On Tue, May 13, 2014 at 11:45 AM, David Keeler <dkee...@mozilla.com> > wrote: > > On 05/13/2014 06:48 AM, Peter Bowen wrote: > >> I think the biggest question probably is id-kp-clientAuth. From a > >> quick scan of the NSS certdb code, it seems that setting this EKU in a > >> CA cert would allow it to issue serverAuth and emailProtection certs. > >> Therefore it would seem reasonable to include this as well. > > > > That may well be the case for NSS. However, the new certificate > > verification library under development and in use by default in Firefox > >= > > 31 does not allow this. > > > > In case you hadn't heard about it, the new library is "mozilla::pkix". > > In the certdata.txt file, there are only four trust attributes used. > No certificate has CKA_TRUST_CLIENT_AUTH or CKA_TRUST_TIME_STAMPING. > Does this mean that, with the switch to mozilla::pkix, Mozilla and NSS > is not defining any CA as trusted to issue certificates for client > authentication or time stamping? > How to interpret the NSS trust bits for client authentication is the subject of bug 982340 [1]. I am not sure that NSS even has a way of indicating trust anchors for time stamping. Further, Gecko doesn't use time stamping so time stamping isn't relevant to mozilla::pkix. mozilla::pkix is currently built on top of NSS and we didn't change anything about how NSS works for mozilla::pkix. The way trust information is stored is pluggable in mozilla::pkix via the TrustDomain [2] interface and mozilla::pkix doesn't decide itself which certificates are trusted. In Gecko, we have an implementation of TrustDomain that uses trust information stored in NSS called NSSCertDBTrustDomain [3], and we have another one called AppTrustDomain [4] that is hard-coded to trust only one certificate only for code signing. Cheers, Brian [1] https://bugzilla.mozilla.org/show_bug.cgi?id=982340 [2] http://mxr.mozilla.org/mozilla-central/source/security/pkix/include/pkix/pkixtypes.h#48 [3] https://mxr.mozilla.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.cpp?rev=daee17c14581#70 [4] https://mxr.mozilla.org/mozilla-central/source/security/apps/AppTrustDomain.cpp?rev=c968e47ef708#105 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy