Le lundi 9 décembre 2013 23:15:01 UTC+1, Brian Smith a écrit : > One thing that would really help would be an attempt to document which > publicly-accessible websites are using certificates that chain (only) > to the ANSSI root. I heard the claim that most French public > government websites actually use certificates that chain to a > different CA. That has led me to wonder how much the ANSSI root is > actually used by public websites. Having a list of domains that use > certs that chain to ANSSI root is likely to have some significant > bearing on the decisions about what to do. But, it will be a while > before I would have time to compile such a list.
Working on such a list on my spare time. Unfortunately, it's not a small hierarchy. > I think it would also help to document in this thread the ways we know > that ANSSI is not complying with our CA program. Lack of OCSP AIA URI > in the certificates is one example. Are there other ways that ANSSI is > non-compliant? 1024bits TLS certs (still recently), sequential serial numbers+SHA1. Some first-level sub-CAs (i.e. just under the root) don't have a valid CRLDP URI pointing to a downloadable, non-expired CRL. As Kathleen mentioned in bug 948175, governments need to vote budgets. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
