Gervase Markham於 2016年12月4日星期日 UTC+8下午6時18分48秒寫道: > Hi Wen-Cheng, > > On 04/12/16 06:12, 王文正 wrote: > > Requiring that Key rollover must be accompanied by DN rotation will > > contradict with the PKIX standard and the original X.509 standard. > > Leaving aside the particular situation we are in, in general the Web PKI > uses X.509 and other standards as a guide, but if something doesn't > work, or we stop allowing it for security reasons, that's just the way > it is and that needs to be accepted. Take, for example, non-critical > name constraints. Not allowed by the RFC, but used in the Web PKI.
Well, I believe that retain the same DN for the root CA after performing key rollover will not cause security issues. If it will cause security issues, Mozilla certainly has the right to reject our root certificate. If you are aware of any security issue that might cause by a root CA retaining the same DN, please clearly describe what kind of security issue it will cause, and then I will submit an technical errata report to PKIX to ask for amending RFC 5280. > > I note also that Mozilla's root store policy says: > > "This also includes (but again is not limited to) cases where we believe > that including a CA certificate (or setting its "trust bits" in a > particular way) might cause technical problems with the operation of our > software..." > > If what you are trying to do doesn't work in our software, it may end up > that we just shrug our shoulders and tell you to do something else. > That's not definite, but it is a possible outcome you need to be > prepared for. > That is fair. If our implementation does not work with your software, you certainly has the right to not accept our root certificate. Let's just test it and we will know if it works. > > If so, I do know how Mozilla can claim that the NSS is > > interoperable with PKIX Certificate and CRL profile? > > If you are right, we may just have to stop claiming that :-) Well, on the other hand, you might embrace more positive thinking. This can be a chance to improve the certification path processing algorithm of Mozilla NSS to make it truly interoperable with PKIX Certificate and CRL profile :-) > > Gerv Wen-Cheng Wang _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
