I saw that he's contacting CAs about the missing SANs, but what about the other issues? I'd be very interested in hearing about any non-compliant certs related to DigiCert (if there are any).
Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Kathleen Wilson Sent: Tuesday, May 20, 2014 12:24 PM To: [email protected] Subject: Re: Checking certificate requirements On 5/20/14, 10:03 AM, Kurt Roeckx wrote: > I've been working on checking that certificates made by the CAs are > following requirements, and how it changes over time. You can see the > results at: > http://www.roeckx.be/certificates/ > > > Kurt > Kurt, Great work! Thank you for sharing this analysis! > Conclusions > Some of CA/Browser forum baseline requirements seems to be getting > adopted good, but there are still some certificates generated that > don't follow the requirements. Other requirements don't seem to get > adopted. Those that don't get adopted seem to have to do with things > about the CA itself and not with subject of the certificates. Maybe we should re-visit the idea of a "wall of shame", and publicly list the CAs who are still issuing certificates with the following problems. * No Subject alternative name extension * Fails decoding the character set * Contains control characters * Certificate not version 3 * Long-lived certs (beyond what BRs allow) > There is a surprising amount of long lived certificates. > This results in it taking a long time to get those > requirements adopted. Yep. Long-lived certs are definitely a problem. It's also impeded phasing out 1024-bit certs. > News > May 2013: I've been contacting CAs about the missing subject > alternative name extension, since I think that's currently the > biggest problem. Hopefully we'll see things improve over time. Thank you for doing that! How has it been going? Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
