Le mercredi 29 janvier 2014 01:25:28 UTC+1, Kathleen Wilson a écrit : > DigiCert has applied to include 5 new root certificates that will > eventually replace the 3 DigiCert root certificates that were included > in NSS via bug #364568. The request is to turn on all 3 trust bits and > enable EV for all of the new root certs. > > 1) DigiCert Assured ID Root G2 -- This SHA-256 root will eventually > replace the SHA-1 "DigiCert Assured ID Root CA" certificate. > > 2) DigiCert Assured ID Root G3 -- The ECC version of the Assured ID root. > > 3) DigiCert Global Root G2 -- This SHA-256 root will eventually replace > the SHA-1 "DigiCert Global Root CA" certificate. > > 4) DigiCert Global Root G3 -- The ECC version of the Global root. > > 5) DigiCert Trusted Root G4 -- This SHA-384 root will eventually replace > the SHA-1 "DigiCert High Assurance EV Root CA" certificate.
There's some minor points: - the CRLs include a revoked certificate with a reason "unspecified", RFC5280 states that it SHOULD be absent (instead of using this reason code); SHOULD isn't a MUST - the OCSP responders, when asked about the only revoked certificate so far (serial 01000000000000000000000000000001), reply as if it was non existent (unauthorized); this is strange, as this certificate should exist, if it's revoked - the ECC certificates have a keyUsage set to digitalSignature and keyAgreement; keyAgreement is correct wrt the public key (id-ecPublicKey covers both ECDSA and ECDH keys), but is useless in TLS (not a security problem at all) The first and third points are only remarks and can be ignored, but could you reply on the second point, Jeremy? Other than that, everything's clean. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
