Starting from http://www.ssi.gouv.fr/fr/anssi/services-securises/igc-a/ you can get the CRL of the 2048bits IGC/A, and a page linking to 14 sub-CAs. Ignore the 4096bits IGC/A for now, it hasn’t been accepted by Mozilla yet.
Among those 14 sub-CAs, 4 don’t have any CRLDP: - “AC racine Agriculture” - “AC Ministère de la Justice” (expired since Nov 2011) - “AC Direction Générale de l’Aviation Civile (DGAC)” (expired since Sep 2013) - “AC Port autonome de Marseille (PAM)” (expired since Sep 2013) One points to an unreachable CRL: “AC racine Gendarmerie nationale” (unresolved FQDN). And one points to an expired CRL: “AC racine Pm-SGDN” (nearly 1 year old). Looking into University of Michigan data (https://scans.io) reveals: - 60 TLS certificates under “AC racine Agriculture” - 1 since-long expired TLS certificate under “AC Ministère de la Justice” - no certificate under “AC Direction Générale de l’Aviation Civile (DGAC)” - 31 TLS certificates under “AC Port autonome de Marseille (PAM)” - 2 TLS certificates under “AC racine Gendarmerie nationale” - no certificate under “AC racine Pm-SGDN” I haven’t checked those TLS certificates for compliance yet (key size, OCSP, CRLDP, presence and content of SAN, …), will do it soon. At first sight, a lot of them have CRLDP but no OCSP, some have a wellformed SAN, some have URI SAN, and many have no SAN at all. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
