Le jeudi 30 octobre 2014 19:17:41 UTC+1, Kathleen Wilson a écrit : > IdenTrust has applied to include the "IdenTrust Commercial Root CA 1" > and "IdenTrust Public Sector Root CA 1" root certificates, and turn on > the Websites and Email trust bits for both. The "IdenTrust Commercial > Root CA 1" root will eventually replace the "DST Root X3" certificate, > and the "IdenTrust Public Sector Root CA 1" root will eventually replace > the "DST ACES X6" certificate. Both of the currently-included root > certificates were included via Bugzilla Bug #394733. [...] > * Root Cert URLs > https://bugzilla.mozilla.org/attachment.cgi?id=8473319 > http://validation.identrust.com/roots/commercialrootca1.p7c > https://bugzilla.mozilla.org/attachment.cgi?id=8473320 > http://validation.identrust.com/roots/publicrootca1.p7c > > * Test Websites > https://sha2ssl-trustidvalid.identrustssl.com/ > https://sha2ssl-acesvalid.identrust.com/ > Comprehensive list: http://testssl.identrust.com/ > > * CRL > http://validation.identrust.com/crl/commercialrootca1.crl > http://validation.identrust.com/crl/trustidcaa52.crl
> http://validation.identrust.com/crl/publicrootca1.crl > http://validation.identrust.com/crl/acesca2.crl > > * OCSP > http://commercial.ocsp.identrust.com > http://public.ocsp.identrust.com Nothing's obviously wrong on the certificates, CRLs, CP/CPS. Intermediate certificates include EKU OIDs for IPSec {Tunnel, User, End System}, which is weird; why would anyone want a *public* certificate to authentify against a virtual *private* network? That's not a blocker. These EKU OIDs are obsolete anyway. The sha2ssl-acesvalid subscriber certificate includes the BR IV policyId OID, but this OID isn't granted to the issuer. Not a blocker, but if a RP explicitely requires this OID to be present, this chain will be rejected (see recent discussions on CABForum about CP OID chaining). The OCSP responders both include too many certificates, this has a performance impact for your users; no need to include intermediate and root certificates in the response. Not a blocker. The OCSP responders answer "unknown" when asked to verify the 2 given intermediate certificates. Not a blocker, but probably not expected. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
