In regards to updating https://wiki.mozilla.org/CA:How_to_apply#Root_certificates_with_the_same_subject_and_different_keys ?
How about the following? ~~ The standards allow for two CA certificates to have the same subject names but different subject public keys. Please try to avoid this, because it often leads to confusion and compatibility issues. When verifying an end-entity certificate chaining up to a root certificate with the same subject name as another root certificate, if Firefox is aware of the existence of both root certificates, it will try all possible orderings of (subject, issuer) pairs until it finds the right one. If there are many certificates all with the same subject and issuer names, the number of orderings grows exponentially, so it can take a long time to evaluate the certificate chains. Therefore, it is better to avoid these kinds of situations. Note that for root certificates, Firefox ignores the authority key identifier and subject key identifier extensions. ~~ RE: > There could be something trying to enforce that root certificates sharing the > same distinguished name MUST be owned by the same entity (well, the private > key, and all the accompanying things). That should also be true for > subordinate CAs (wrt cross-signing), but this has to be enforced by issuing > CAs. Maybe that should be part of the BRs? Thanks, Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
