https://bugzilla.wikimedia.org/show_bug.cgi?id=35709
Marcin Cieślak <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|blocker |normal --- Comment #6 from Marcin Cieślak <[email protected]> 2012-04-11 09:41:24 UTC --- A root certificate received via TLS Server Certificate exchange does not make it into the list of browser's trusted root certificates. I've never heard about the process of sneaking-in as you describe. You also cannot use root certificate as intermediate, since root certificate by definition has issuer == subject. An intermediate would need to have issuer set to something else. RFC 5246, section 7.4.2 says: certificate_list This is a sequence (chain) of certificates. The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case. Including root certificate might have the advantage for clients not having it stored locally, i.e. in theory OCSP or CRL information from extended v3 attributes could be used to verify validity of the whole chain. Path validation process (RFC 3280 section 6) describes a whole validation as coming from the top (CA) to the bottom (host certificate). If you don't have the issuer name (and most importantly, public key) you can't really verify the chain. Please note, that even if you don't trust the trust anchor (root CA) you can do certain validation - like expiration dates, names and making sure the whole chain is really working. So even without trust anchor set some basic validation is still possible. By the way, https://en.wikipedia.org/ servers a whole CA path including the root and the intermediate CA as well: depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance CA-3 verify return:1 depth=0 C = US, ST = California, L = San Francisco, O = "Wikimedia Foundation, Inc.", CN = *.wikipedia.org verify return:1 Please note, it's also a different root. (Because this is the so-called EV certificate). -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
