Re: Staat der Nederlanden Root Renewal Request

Wed, 29 Oct 2014 15:19:09 -0700 

Le jeudi 23 octobre 2014 20:51:40 UTC+2, Kathleen Wilson a écrit :
> Staat der Nederlanden has applied to include the "Staat der Nederlanden 
> Root CA - G3" and "Staat der Nederlanden EV Root CA" root certificates; 
> turn on the Websites and Email trust bits for the "Staat der Nederlanden 
> Root CA - G3" root; turn on the Websites trust bit for the "Staat der 
> Nederlanden EV Root CA"; and enable EV treatment for the "Staat der 
> Nederlanden EV Root CA" root. The "Staat der Nederlanden Root CA - G3" 
> root will eventually replace the first and second generations of this 
> root that were included via Bugzilla Bug #243424 and Bug #436056.
[...]

> * EV Policy OID: 2.16.528.1.1003.1.2.7
> 
> * Root Cert URLs
> http://cert.pkioverheid.nl/RootCA-G3.cer
> http://cert.pkioverheid.nl/EVRootCA.cer
> 
> * Test Websites
> https://roottest-g3.pkioverheid.nl

The subscriber certificate has a UPN entry type in the SAN extension. This is 
not accepted under BR (see 9.2.1, "[...] Each entry MUST be either a dNSName 
containing the Fully-Qualified Domain Name or an iPAddress containing the IP 
address of a server. [...]").

> https://pkioevssl-v.quovadisglobal.com/

This subscriber certificate has also a UPN entry in the SAN.

> * CRL
> http://crl.pkioverheid.nl/RootLatestCRL-G3.crl
> http://crl.pkioverheid.nl/DomOrganisatieServicesLatestCRL-G3.crl
> http://crl.pkioverheid.nl/DomOrganisatiePersoonLatestCRL-G3.crl
> http://crl.pkioverheid.nl/DomBurgerLatestCRL-G3.crl
> http://crl.pkioverheid.nl/DomAutonomeApparatenLatestCRL-G3.crl
> http://cert.managedpki.com/crl/KPNCorporateMarketCSPOrganisatieServicesCAG3/LatestCRL.crl
>  
> 
> http://crl.pkioverheid.nl/EVRootLatestCRL.crl
> http://crl.pkioverheid.nl/EVIntermediairLatestCRL.crl
> http://crl.quovadisglobal.com/pkioevca.crl
> 
> * OCSP
> http://rootocsp-g3.pkioverheid.nl
> http://domorganisatieservicesocsp-g3.pkioverheid.nl
> http://ocsp3.managedpki.com
> http://evrootocsp.pkioverheid.nl
> http://ocsp.pkioverheid.nl
> http://ocsp.quovadisglobal.com

OCSP services are OK, but:
 - the ones hosted at *.pkioverheid.nl return a response bigger than necessary 
(the whole certificate chain including the root)
 - the one at ocsp.quovadisglobal.com returns wrongly formatted "Expires" and 
"Last-Modified" HTTP headers (see RFC2616 3.3.1)
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to