[cabfpub] Ballot 108: Clarifying the scope of the baseline requirements
Gervase Markham
gerv at mozilla.org
Thu Aug 15 18:52:26 UTC 2013
On 08/08/13 18:10, Kelvin Yiu wrote:
> One way to make progress is perhaps for browsers to summarize the
> certificate profile (e.g. required fields and extensions) that their
> browsers accept as SSL, code signing, or any other public
> certificates they accept.
The code for the NSS currently shipping in Firefox is here:
http://dxr.mozilla.org/mozilla-central/source/security/nss/lib/certdb/certdb.c#l489
So the logic of that code block as I read it (and my interpretation was
looked over by Bob Relyea, although he probably didn't check it
exhaustively), is:
SSL_Server == !(NS_Type_Extension || EKU_Extension) // 608-621
|| NS_Type_SSL_Server // 516
|| !BC_isCA && (
EKU_Server_Auth // 553-562
|| NS_Govt_Approved // 563-576
)
SSL_Client == !(NS_Type_Extension || EKU_Extension) // 608-621
|| NS_Type_SSL_Client // 516
|| EKU_SSL_Client_Auth // 577-586
SSL_CA == NS_SSL_CA // 516
|| BC_isCA && (
!(NS_Type_Extension || EKU_Extension) // 608-621
|| NS_Type_Email_CA // 531-537
|| EKU_SSL_Server_Auth // 553-562
|| NS_Govt_Approved // 563-576
|| EKU_SSL_Client_Auth // 577-586
)
Email == NS_Type_Email // 516
|| !(NS_Type_Extension || EKU_Extension) // 608-621
|| (NS_Type_SSL_Client && Has_Email_Address) // 523-530
|| (EKU_Email_Protect && !BC_isCA) // 538-552
Email_CA == NS_Type_Email_CA // 516
|| BC_isCA && (
!(NS_Type_Extension || EKU_Extension) // 608-621
|| EKU_Email_Protect // 538-552
)
Code_Sign == NS_Type_Object_Signing // 516
|| (EKU_Code_Sign && !BC_isCA) // 587-596
Code_Sign_CA == NS_Type_Object_Signing_CA // 516
|| (EKU_Code_Sign && BC_isCA) // 587-596
Time_Stamp == EKU_Time_Stamp // 597-601
[Bob needs to clarify a point he made about this one.]
OCSP_Resp == OID_OCSP_Responder // 602-606
|| is_Any_CA_Type &&
!(NS_Type_Extension || EKU_Extension) // 608-621
Gerv
More information about the Public
mailing list