Gervase Markham <[email protected]> wrote: > Just to help me be clear: the request is for the inclusion of a root > with the same DN as a previous root, which will still be included after > the addition? Or the problem with duplicate DNs occurs further down the > hierarchy?
Some people claimed some software may be unable to cope with two different CA certificates with the same subject DNs. Nobody claimed that Firefox is unable to cope with two CA certificates having the same subject DN. It should work fine in Firefox because Firefox will attempt every CA cert it finds with the same DN. One caveat: If there are "too many" CA certificates with the same subject DN, Firefox will spend a very long time searching through them. This is a bug in Firefox that's already on file. > Does Firefox build cert chains using DNs, or using Key Identifiers as > Wen-Cheng says it should? I assume it's the former, but want to check. Firefox doesn't even parse the key identifiers. Using the key identifiers are only helpful when a CA does the thing that this particular CA does, using the same subject DN for multiple CA certificates, to prevent the "too many" problem mentioned above. I'm unconvinced that it is worthwhile to add the Key Identifier stuff just to accommodate this one public CA plus any private CAs that do similarly. I think it's better to ask this CA to instead do things the way all the other public CAs do (AFAIK). In other words, this is kind of where the Web PKI diverges from PKIX. However, the CA changing its practices could be done on a going-forward basis; the existing instances shouldn't be problematic and so I don't think they should be excluded on the basis of what they already did. Cheers, Brian -- https://briansmith.org/ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
