All,
Are there any other concerns regarding this root inclusion request from ANF?
If ANF resolves all of the concerns that Erwann listed below, then
should we allow this request to continue?
Or should we require a new audit?
Thanks,
Kathleen
On 6/20/14, 8:07 AM, Erwann Abalea wrote:
Le jeudi 19 juin 2014 20:28:28 UTC+2, Kathleen Wilson a écrit :
ANF Autoridad de Certificaci�n has applied to include the �ANF Server
CA� and �ANF Global Root CA� root certificates, turn on the websites
trust bit for both, and enable EV treatment for the �ANF Global Root CA�
certificate.
[...]
Under "ANF Global Root CA":
https://kerberosns.com/cloud
EV certificate is not compliant with EV Guidelines:
- missing mandatory serialNumber in subjectDN (see section 9.2.6)
- are you sure that "JORGE CABRERA CLARISSO" is the legal name of the entity
as recorded by the the incorporating or registration agency? Other attributes in the
certificate imply that this is in fact a personal name (givenName=JORGE, surname=CABRERA
CLARISSO)
OCSP service behind "http://ocsp.anf.es/spain/AV"; when validating the
subscriber certificate sends useless certificates in the responses:
- the issuer of the dedicated OCSP responder (the requester already has it,
since it is necessary to build the request)
- the root certificate "ANF Global Root CA" (seriously?)
That's 4.8k wasted on the wire for each response, approx. 70%.
Under "ANF Server CA":
https://anf.kerberosns.com/en/
Nothing particular on the server certificate
OCSP service behind "http://ocsp.anf.es/spain/AV"; when validating the
subscriber certificate has the same problems as mentioned (useless CA certificates in the
response), plus:
- OCSP responder certificate is a 1024 bits one
- OCSP responder certificate doesn't contain the OCSPNoCheck extension
- OCSP responder certificate contains an empty CRLDP extension (forbidden by
definition); remove it, and add the OCSPNoCheck extension
Issuing certificate "ANF SSL Sede CA1" has the following problems:
- the CRLDP is invalid; 3 URLS are concatenated, separated by a '\n'
character), one of them seems to be improperly constructed
(ldap://ldap.anf.es:389/cn=ANF_SSL_Sede_CA1.crl,ou=ANF_SSL_Sede_CA1,ou=ANF_Server_CA,dc=anf
should probably be
ldap://ldap.anf.es:389/cn=ANFServerCA_arl.crl,ou=ANF_Server_CA,dc=anf), while
the 2 others point to a CRL whose scope is reduced to user certificates, thus
not compatible with this CA certificate
- the SAN extension contains an invalid "dNSName=http://www.anf.es"; entry
(this is a URI, not a DNS Name)
OCSP service behind "http://www.anf.es/AC/RC/ocsp"; when validating the issuing
certificate has the same problems (useless CA certificates in the response), plus:
- OCSP responder certificate doesn't contain the OCSPNoCheck extension
Root certificate contains useless extensions:
- AIA:OCSP
- CRLDP (pointing to a CRL valid for user certificates only)
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
