Hi Bruce, On Sat, Jan 4, 2025 at 8:52 AM bruce lee <pikaqiu...@gmail.com> wrote:
> Dear Browser Development Team, > > I am writing to inquire about the specific logic and algorithms employed > by your browser when constructing certificate chains, particularly in > scenarios involving multiple intermediate certificates. I am looking for a > thorough explanation of the decision-making process and, if possible, the > location of the relevant code within your codebase. > > My specific area of interest is in how the browser handles situations > where it encounters multiple potential intermediary certificates that could > link to a given end-entity certificate, specifically: > > Scenario: Consider an end-entity certificate "C". This certificate can > potentially be linked to two intermediate certificates, "A" and "B". > Key and Subject Identity: Intermediate certificates "A" and "B" share the > same private key and have the same subject name. > Field Differences: However, other fields within "A" and "B" are different > (e.g., different validity periods, subject alternative names, extensions, > etc.). > > In such a case, end-entity certificate "C" could be successfully linked to > either "A" or "B", resulting in two potential certificate chain paths. > > My questions are: > > 1. Selection Criteria: What specific criteria or properties does the > browser prioritize when selecting between such multiple intermediate > certificates with the same subject name and public key? Is this selection > based on the most recently issued certificate, or the one with the longer > validity period, or some other factors? Please provide a complete list of > these criteria, ordered by priority. > 2. Algorithm: Could you describe the detailed algorithm (or pseudo-code) > used by the browser when making this selection? I am interested in > understanding the complete process flow. > 3. Implementation Location: Could you please provide information on the > location within the browser's codebase where this certificate chain > selection logic is implemented? If possible, please include specific file > paths or code modules. > 4. Rationale: What is the reasoning behind these design choices, and what > are some potential edge cases or known issues that they are designed to > mitigate? > 5. Specific Examples: If there are any practical examples or case studies > of where the logic is relevant, could you share a few cases? > > I understand the complexity of this area and appreciate any detailed > information you can provide. I am particularly interested in the technical > specifics behind these choices, as it directly relates to the security and > reliability of web browsing. > I'm not the right person to answer really any of your queries, but I can at least point you to the relevant implementation (or, be the wrong answer in the adage about the fastest way to get an answer on the Web) -- building and verifying certificate chains is the work of mozpkix <https://searchfox.org/mozilla-central/source/security/nss/lib/mozpkix>. My belief, very loosely held, is that the browser will accept _any_ valid chain, so most of your questions about "which of two candidate certificates is favoured" are mostly irrelevant -- we're looking for any path in a graph, without any particular ordering, etc. But hopefully you can either read the code and verify for yourself, or the experts will chime in. Best, Nick -- You received this message because you are subscribed to the Google Groups "dev-platform@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-platform+unsubscr...@mozilla.org. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CAMnWBR33-JsW1DfDAN2rTfrq0xiDQGVpend-jcS1JhhtFt5bsw%40mail.gmail.com.
