El martes, 24 de junio de 2014 20:10:23 UTC+2, Erwann Abalea escribió: > Bonjour Moises, > > > > Le lundi 23 juin 2014 11:53:05 UTC+2, [email protected] a écrit : > > > El viernes, 20 de junio de 2014 17:07:05 UTC+2, Erwann Abalea escribió: > > > > > > > Under "ANF Global Root CA": > > > > > > > > https://kerberosns.com/cloud > > > > > > > > EV certificate is not compliant with EV Guidelines: > > > > > > [...] > > > > > > Hello, > > > > > > I'm Moises Amador, ANF's representative. > > > > > > This is the account from which officially respond. > > > > > > Erwann, thanks for taking the time to review our request. > > > We will carefully review the points you mention, and answer all soon. > > > > There's one additional point which doesn't affect Mozilla (for now), but > currently affects Microsoft. > > Your OCSP responders don't set the nextUpdate date (it's optional). This is > valid, but it has a side-effect, Microsoft CAPI considers that such responses > are obsolete, and fall back to CRL download. > > If your CRLs are invalid, as it's the case when validating "ANF SSL Sede CA1" > certificate, it becomes a security problem.
Regarding this last point, as is an optional field and also our OCSP responders do not consult CRLs, not the "nextUpdate date" field is included. Regarding the comment to "ANF SSL Sede CA1" certificate as a solution to this was proposed in 30 june: > > Issuing certificate "ANF SSL Sede CA1" has the following problems: > > > > - the CRLDP is invalid; 3 URLS are concatenated, separated by a '\n' > > character), one of them seems to be improperly constructed > > (ldap://ldap.anf.es:389/cn=ANF_SSL_Sede_CA1.crl,ou=ANF_SSL_Sede_CA1,ou=ANF_Server_CA,dc=anf > > should probably be > > ldap://ldap.anf.es:389/cn=ANFServerCA_arl.crl,ou=ANF_Server_CA,dc=anf), > > while the 2 others point to a CRL whose scope is reduced to user > > certificates, thus not compatible with this CA certificate > > > > - the SAN extension contains an invalid "dNSName=http://www.anf.es"; entry > > (this is a URI, not a DNS Name) > > > A new certificate will be issued considering your comments. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
