Thank you to those of you who have contributed to this discussion about
ANF's request to include the "ANF Server CA" and "ANF Global Root CA"
root certificates, turn on the websites trust bit for both, and enable
EV treatment for the "ANF Global Root CA" certificate.
To summarize this discussion, the following concerns were raised.
1) The SSL certificate in the test website was not compliant with EV
Guidelines, in particular it was missing the mandatory serialNumber in
subjectDN (see section 9.2.6)
2) In the certificate the SAN extension contained an invalid
"dNSName=http://www.anf.es"; entry (this is a URI, not a DNS Name) –
The BRs require compliance with RFC 5280, and this is a violation. RFC
5280, Page 35: "When the subjectAltName extension contains a domain name
system label, the domain name MUST be stored in the dNSName (an
IA5String). The name MUST be in the "preferred name syntax", as
specified by Section 3.5 of [RFC 1034] and as modified by Section 2.1 of
[RFC1123].
Section 3.5 is unambiguous about the construction of what a domain is
(namely, ":" is never a valid character - only a-zA-Z are allowed as the
first character, and a-zA-Z0-9 (and hyphen, -) are allowed as the
remaining).
3) The CRLDP is improperly encoded - this is a violation of 4.2.1.13
(Page 45) of RFC5280. "If the DistributionPointName contains a general
name of type URI, the following semantics MUST be assumed: ... . When
the HTTP or FTP URI scheme is used, the URI MUST point to a single DER
encoded CRL as specified in RFC2585"
So it's invalid (not a valid URI, due to the embedded NULL), and even
the URIs included are invalid.
4) OCSP issues, including 1024-bit OCSP responder certificate, and OCSP
responder certificate doesn't contain the OCSPNoCheck extension.
The lack of an OCSP noCheck is a violation of BR section 13.2.5: "In the
latter case, the OCSP signing Certificate MUST contain an extension of
type id-pkix-ocsp-nocheck, as defined by RFC2560"
Based on the findings listed above, I believe the proper course of
action is for the ANF CA to fix these issues and be re-audited according to:
https://wiki.mozilla.org/CA:BaselineRequirements#Audit_Mistakes
After which, a second round of discussion will be needed.
Does anyone have any further comments about this request before I close
this discussion and track the action items in the bug?
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
