Re: Is there an ETA yet for when Firefox will use libpkix by default?

Mon, 11 Jun 2012 07:26:14 -0700 

On 09/06/12 06:03, Wan-Teh Chang wrote:

Rob,

Please fix the bug in the "old" certificate verification library.  Thanks.

Are you going to use the approach outlined by Nelson in bug 479508 and
bug 482153?

>
> Wan-Teh

Hi Wan-Teh.
I'm afraid I have nowhere near enough knowledge of NSS internals to turn Nelson's "disgusting hack" [1] into something that the NSS team would, under normal circumstances, "contemplate committing" [2].
I've just tested Nelson's 2 patches ([1] and [3]) against mozilla-inbound, and they appear to fix the problem. IMHO, a "disgusting hack" fix is much better than a non-disgusting, significantly delayed fix.
So, how would Mozilla and the NSS Team feel about committing Nelson's 2 patches? 


[1] https://bugzilla.mozilla.org/attachment.cgi?id=366236
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=482153#c1
[3] https://bugzilla.mozilla.org/attachment.cgi?id=366225
P.S. An alternative idea, for which I am willing to write a patch (if you think this would be preferable to Nelson's "disgusting hack"): - Define a certHashesToAvoidUsing[] array in nssCertificateArray_FindBestCertificate(). Populate this array with the hashes of all of the UTN->AddTrust and AddTrust->UTN cross-certificates. Make the code consult this list: if a match is found, do not consider this cert to be the best match. 


P.P.S. 2 other ideas which didn't appear to work...
1. I tried adding the affected UTN<-->AddTrust cross-certificates as distrusted built-ins, but this didn't help. Presumably "distrust" is only evaluated after the "best" certificate chain has been chosen, rather than during the process of chain selection.
2. I tried removing one of the affected UTN root-certificates and then adding the relevant AddTrust->UTN cross-certificate as a built-in. This didn't work either, presumably because the UTN root-certificate was for some reason still listed as a Software Security Device. 

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to