User-Agent: Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7.5) Gecko/20050210 Firefox/1.0 (Debian package 1.0+dfsg.1-6) Build Identifier: This patch adds the OID for 1.3.6.1.5.5.7.48.2, PKIX CA Issuers. This ID is defined in RFC 2459. It is not clear what OIDs can be added through "static" OID tags, rather than in the application through SECOID_AddEntry. I think a policy is desirable, best documented in secoidt.h before the enumeration. I would propose to allow all OIDs into the file which are certificate-relevant and vendor-independent (e.g. published in an RFC). This specific OID is needed for bug Bug 259031, which tries to print the CA Issuers AIA if present. Reproducible: Always Steps to Reproduce:

Taking bug. I will review this patch.

Comment on attachment 174392 [details] [diff] [review] Patch to add SEC_OID_ACCESS_DESCR_CA_ISSUERS r=nelson I think I might have preferred a somewhat shorter name than SEC_OID_ACCESS_DESCR_CA_ISSUERS, perhaps something like SEC_OID_AIA_CA_ISSUERS, but I'm not going to withhold r+ over such a nit. i will plan to check this in on Martin's behalf for 3.10.

Comment on attachment 174392 [details] [diff] [review] Patch to add SEC_OID_ACCESS_DESCR_CA_ISSUERS Nelson, If you want a shorter name, I suggest SEC_OID_AD_CA_ISSUERS because this OID is called id-ad-caIssuers in RFC 2459: id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 }

Should I submit a new patch for the renamed constant? I personally don't care too much what it is called, so SEC_OID_AD_CA_ISSUERS sounds fine.

Martin, I took care of this for you. After reviewing the two files, I concluded that SEC_OID_PKIX_CA_ISSUERS is the name that is the most consistent with existing names. Is PKIX 3 the nickname for RFC 2459?

I think I confused terminology. PKIX 3 apparently once was the nickname for draft-ietf-pkix-ipki3cmp-0X.txt, which apparently became RFC 2510. So the comment claiming that this is PKIX 3 should probably be removed/replaced with a plain "PKIX" statement. BTW, RFC 2459 is now obsoleted by RFC 3280.

Changed "PKIX 3" to "More PKIX OIDs" in comments.

Comment on attachment 175248 [details] [diff] [review] Patch to add SEC_OID_PKIX_CA_ISSUERS, v1.1 Wan-Teh, since you're apparently ready to check this in, please "take" this bug when you do so. Thanks.

Patch checked in on the trunk. Note that I changed the description of this OID to "PKIX CA issuers access method", from "Authority issuers access path". Checking in secoid.c; /cvsroot/mozilla/security/nss/lib/util/secoid.c,v <-- secoid.c new revision: 1.29; previous revision: 1.28 done Checking in secoidt.h; /cvsroot/mozilla/security/nss/lib/util/secoidt.h,v <-- secoidt.h new revision: 1.17; previous revision: 1.16 done