Inspired by Rob Stradling's work (https://cabforum.org/pipermail/public/2015-November/006269.html), I wrote a quick tool to check that commonNames and Subject Alternative Names in server auth certificates issued by public CAs were following the CA/Browser Forum baseline requirements.
The resulting report of anomalies is available at https://docs.google.com/spreadsheets/d/1lJt-1tkgKcbw5woEr4-tcpqB-M-HKwjFNSdX2jla2EU/edit?usp=sharing The rules are a rather strict interpretation of RFC 5280 and the Baseline Requirements. Notably, it will complain if FQDNs are not converted to ASCII (as defined in 7.2 and 7.3 of RFC 5280) and will complain if there is an IP address flaged as a dNSName in a Generalized Name. There are a couple of rules that may create false positives, so please don't assume every certificate on the sheet is problematic. Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
