On Mon, Feb 08, 2016 at 12:42:46PM -0800, Kathleen Wilson wrote: > One topic currently under discussion in Bug #1201423 is regarding root > certificates with serial number of 0. The error being returned by > http://cert-checker.allizom.org/ is "Serial number must be positive". > > Arguments raised in the bug: > > >>> RFC 5280 is not ambiguous as to whether zero is positive or not. > >>> https://tools.ietf.org/html/rfc5280#section-4.2.1.10 > >>> Note: Non-conforming CAs may issue certificates with serial numbers > >>> that are negative or zero. Certificate users SHOULD be prepared to > >>> gracefully handle such certificates. > >>> So zero is clearly non-conforming. > > >> The whole RFC5280 section 4.1 refers to the information associated with > >> the subject of the certificate and the CA that issued it. This is not > >> a certificate issued by a CA, it is a self-signed certificate, which is > >> the trust-anchor itself. > > > We believe that this section applies to issued certificates. > > Quoting the beginning of the section: > > The sequence TBSCertificate contains information associated with the > > subject of the certificate and the CA that issued it. > > > > Thus, it only applies to certificates issued by a CA, and not to the CA > > itself. > > Does section 4.1 of RFC5280 apply to root certificates?
My understanding of the terminology is that a CA is not a certificate, it is a role (or person, or organisation, or function). To put it another way, "certificates don't issue certificates, CAs issue certificates". In this way, it becomes fairly clear that the self-signed certificate which is usually used as the trust anchor is a "certificate issued by a CA", as much as any other. - Matt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
