Issue 844203 link

Starred by 3 users

Issue metadata

Status:	Untriaged
Owner:	----
Components:	Internals>Network>Certificate
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	3
Type:	Bug

Blocking:
issue 844210

Deprecate support for invalid certificate serial numbers

Project Member Reported by eroman@chromium.org, May 17 2018

Issue description

According to RFC 5280, serial numbers should be:
 * minimal integer encoding (per DER)
 * non-negative
 * 20 octets or less

Historically platform verifiers have been very permissive with serial numbers and there are certificates with these problems.

OS X has recently increased strictness with regard to serial number length (Issue 786732).

See also  Issue 721778 .

Comment 1 by rsleevi@chromium.org, May 17 2018

I almost wonder if we should split these out as separate issues.

For example, Chrome on Linux/ChromeOS has never accepted certificates with >20 octets (excluding possible 0 encoding). If we relax our strictness here, we would be in a worse posture for existing platforms, although I understand hesitation towards increasing strictness on lax platforms.

Comment 2 by eroman@chromium.org, May 17 2018

Blocking: 844210

►

Issue 844203 link

Issue metadata

Deprecate support for invalid certificate serial numbers

Issue description

Comment 1 by rsleevi@chromium.org, May 17 2018

Comment 1 Deleted

Comment 2 by eroman@chromium.org, May 17 2018

Comment 2 Deleted

Sign in to add a comment