Le jeudi 19 juin 2014 20:28:28 UTC+2, Kathleen Wilson a écrit : > ANF Autoridad de Certificaci�n has applied to include the �ANF Server > CA� and �ANF Global Root CA� root certificates, turn on the websites > trust bit for both, and enable EV treatment for the �ANF Global Root CA� > certificate. [...]
Under "ANF Global Root CA": https://kerberosns.com/cloud EV certificate is not compliant with EV Guidelines: - missing mandatory serialNumber in subjectDN (see section 9.2.6) - are you sure that "JORGE CABRERA CLARISSO" is the legal name of the entity as recorded by the the incorporating or registration agency? Other attributes in the certificate imply that this is in fact a personal name (givenName=JORGE, surname=CABRERA CLARISSO) OCSP service behind "http://ocsp.anf.es/spain/AV"; when validating the subscriber certificate sends useless certificates in the responses: - the issuer of the dedicated OCSP responder (the requester already has it, since it is necessary to build the request) - the root certificate "ANF Global Root CA" (seriously?) That's 4.8k wasted on the wire for each response, approx. 70%. Under "ANF Server CA": https://anf.kerberosns.com/en/ Nothing particular on the server certificate OCSP service behind "http://ocsp.anf.es/spain/AV"; when validating the subscriber certificate has the same problems as mentioned (useless CA certificates in the response), plus: - OCSP responder certificate is a 1024 bits one - OCSP responder certificate doesn't contain the OCSPNoCheck extension - OCSP responder certificate contains an empty CRLDP extension (forbidden by definition); remove it, and add the OCSPNoCheck extension Issuing certificate "ANF SSL Sede CA1" has the following problems: - the CRLDP is invalid; 3 URLS are concatenated, separated by a '\n' character), one of them seems to be improperly constructed (ldap://ldap.anf.es:389/cn=ANF_SSL_Sede_CA1.crl,ou=ANF_SSL_Sede_CA1,ou=ANF_Server_CA,dc=anf should probably be ldap://ldap.anf.es:389/cn=ANFServerCA_arl.crl,ou=ANF_Server_CA,dc=anf), while the 2 others point to a CRL whose scope is reduced to user certificates, thus not compatible with this CA certificate - the SAN extension contains an invalid "dNSName=http://www.anf.es"; entry (this is a URI, not a DNS Name) OCSP service behind "http://www.anf.es/AC/RC/ocsp"; when validating the issuing certificate has the same problems (useless CA certificates in the response), plus: - OCSP responder certificate doesn't contain the OCSPNoCheck extension Root certificate contains useless extensions: - AIA:OCSP - CRLDP (pointing to a CRL valid for user certificates only) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
