ISSUE-121: Safe Form Bar certificate matching issues [Techniques]

ISSUE-121: Safe Form Bar certificate matching issues [Techniques]

Raised by: Thomas Roessler
On product: Techniques

The safe form bar specification includes a specific matching algorithm for PKIX certificates. This algorithm should be reviewed in light of what the PKIX spec itself says.

Known issues:

- There is some material based on CN, but subjectAltName is ignored
- Two certificates are considered identical if the same key material is encapsulated
- The text uses the notion of "same certification authority", and defines that notion in terms of "both installed as trusted certificate chain roots identified by the same name in the user agent's presentation to the user", as opposed to using the certificate's isuser field. (Note contradiction to material elsewhere in the spec!)
- Certificates are considered to identify the same entity based on comparing specific attributes of the subject field.

Received on Thursday, 11 October 2007 09:52:12 UTC