On 08/05/2015 10:53 AM, Kathleen Wilson wrote: > WISeKey has applied to include the "OISTE WISeKey Global Root GB CA" > root certificate, turn all all three trust bits, and enable EV > treatment. This SHA-256 root cert will eventually replace WISeKey's > SHA-1 root cert that was included in NSS via Bugzilla Bug #371362.
... > * Potentially Problematic Practices -- None noted > (http://wiki.mozilla.org/CA:Problematic_Practices) The following certificate with a validity period of Mar 06 2015 to Mar 06 2016 was signed with sha-1. It also has the nsCertType extension, which is deprecated. -----BEGIN CERTIFICATE----- MIIFdzCCBF+gAwIBAgIKb8MVFQAAAAAfqjANBgkqhkiG9w0BAQUFADCBjjELMAkG A1UEBhMCQ0gxEDAOBgNVBAoTB1dJU2VLZXkxIjAgBgNVBAsTGUNvcHlyaWdodCAy MDExIFdJU2VLZXkgU0ExFjAUBgNVBAsTDUludGVybmF0aW9uYWwxMTAvBgNVBAMT KFdJU2VLZXkgQ2VydGlmeUlEIEFkdmFuY2VkIFNlcnZpY2VzIENBIDIwHhcNMTUw MzA2MTAxNDU2WhcNMTYwMzA2MTAxNDU2WjCBjjELMAkGA1UEBhMCQ0gxDzANBgNV BAgTBkdlbmV2ZTEPMA0GA1UEBxMGR2VuZXZlMRswGQYDVQQKExJBbmRyZSBDaGV2 YWxsZXkgU0ExGzAZBgNVBAsTEkFuZHJlIENoZXZhbGxleSBTQTEjMCEGA1UEAxMa YWNudDAyLmFuZHJlLWNoZXZhbGxleS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQC5SXnzN/q9MkALKTZ1RnTt9prGXqeRCtT4+RLrvDPUaTdR5qXX xwoMA0pkVDo5kSwPfXQehlTfhVc4rQ2WgfObTke1ImZ6MnbKDYCSzMc3RCzjUk1O xhQQl/AhJQvX1587V+69SQRTXQ4eWYU2uIIpGhhZw15Cd003R3tMXvktAFgtVtM9 SDfbeoE8YwLx1hBTO0xBWKEWrz5sFF7hJHuMv661sN3H7ZxMIVAdambKf09uWE7f NI++45O7S9Y0r6Qj6ZjhTe5gYisuDs4YqdPTw0XuSPQy89FxKagtgE9hapatUyuO Lel4lL+CKlKPWbwqZQOAngZCD19P6x+EJ6P7AgMBAAGjggHTMIIBzzAdBgNVHQ4E FgQURzpp2xDxM92c5L2+Fv7s7Z1+XaYwDgYDVR0PAQH/BAQDAgSwMB8GA1UdIwQY MBaAFNcvL/MJ8VYhUx3nTC5IRErahv2YMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6 Ly9wdWJsaWMud2lzZWtleS5jb20vY3JsL3djaWRhc2NhMi5jcmwwbQYIKwYBBQUH AQEEYTBfMDcGCCsGAQUFBzAChitodHRwOi8vcHVibGljLndpc2VrZXkuY29tL2Ny dC93Y2lkYXNjYTIuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC53aXNla2V5 LmNvbS8wHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMCcGCSsGAQQBgjcV CgQaMBgwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEwdQYDVR0RBG4wbIIXb3dhLmFu ZHJlLWNoZXZhbGxleS5jb22CE0FuZHJlLUNoZXZhbGxleS5jb22CGmFjbnQwMi5h bmRyZS1jaGV2YWxsZXkuY29tgiBhdXRvZGlzY292ZXIuQW5kcmUtQ2hldmFsbGV5 LmNvbTARBglghkgBhvhCAQEEBAMCAMAwDQYJKoZIhvcNAQEFBQADggEBAEvUcTR1 uBDGtgco3Zt1KW7eBi6E4/JfS63mK4gAUurAj/ItjJIaZqC/aY7VxdYZxEGIUcEX OW3wrWsDpHkwKI1XkNFvJTKk+2IrgN9R6VDT9+d8hVxukQULWxBj61ge93jxY2kB 0FuPD1VPx0+B+/UKcNT9fEYWEqudguA3tQ3CuquZj+i0T8r9YiAwVx0OmQnwX62O FXjXVJlZrQrmhi9EGzSODItkUU7NopkM81dn1BmFkIuqacU31Wcjd4neCfJPNApk zSabFuhF0lcPZwFn7PW/9/TAELP5K270Guaj1gaBmkJ+Dk6hHYVd44SlgOuNRQSC rnNj+hNsDI/uwJc= -----END CERTIFICATE----- The following certificate with a validity period of Nov 06 2014 to Nov 05 2017 has similar problems. In addition, the common name is expressed as a wildcard ("*.hightrusted.com"). This will not work as expected in Firefox because the wildcard is not expressed as an entry in the subject alternative name extension. -----BEGIN CERTIFICATE----- MIIGvjCCBaagAwIBAgIKGXHdogAAAAAbcDANBgkqhkiG9w0BAQUFADCBjjELMAkG A1UEBhMCQ0gxEDAOBgNVBAoTB1dJU2VLZXkxIjAgBgNVBAsTGUNvcHlyaWdodCAy MDExIFdJU2VLZXkgU0ExFjAUBgNVBAsTDUludGVybmF0aW9uYWwxMTAvBgNVBAMT KFdJU2VLZXkgQ2VydGlmeUlEIEFkdmFuY2VkIFNlcnZpY2VzIENBIDIwHhcNMTQx MTA3MDMxNjMxWhcNMTcxMTA2MDMxNjMxWjBbMQswCQYDVQQGEwJDSDEPMA0GA1UE CBMGR2VuZXZhMRAwDgYDVQQKEwdXSVNFS0VZMQ0wCwYDVQQLEwRURUNIMRowGAYD VQQDDBEqLmhpZ2h0cnVzdGVkLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAOVHrrzUPZnGJ2LqYuM46fBNB8AwaVGPYKMCb6vCtpU7L+AGFlgelh2X cn0idCn/wXba66efVmwJeKoSQH8jCb49Rb96gCvdka843NKIFjjh+kP2d/uPEAo3 DJkviPFsx4XwhFLWx4zsRJf9H8owvuFAb3St33YesI8T+t8s5jX/jL/ZFwvbbB9n CsBHMGZ6ukhdP/hp8crUI8wILgD9He2db3CkpDUEbIDMWGtr97hav1A5gNW0+SmN 2DC05UCvAIIfN6h2gGFrMOE2yqrPUxwvB9uh3g8Zi3lXqWT8V7ypkcyJxcwBxx8H h86cOWxGrfDLO4bVcFt4Os2N850MsekCAwEAAaOCA04wggNKMB0GA1UdDgQWBBRn T9vIuCquQep+9FzH3eTG1Pew1DAfBgNVHSMEGDAWgBTXLy/zCfFWIVMd50wuSERK 2ob9mDA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vcHVibGljLndpc2VrZXkuY29t L2NybC93Y2lkYXNjYTIuY3JsMG0GCCsGAQUFBwEBBGEwXzA3BggrBgEFBQcwAoYr aHR0cDovL3B1YmxpYy53aXNla2V5LmNvbS9jcnQvd2NpZGFzY2EyLmNydDAkBggr BgEFBQcwAYYYaHR0cDovL29jc3Aud2lzZWtleS5jb20vMAwGA1UdEwEB/wQCMAAw HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMCcGCSsGAQQBgjcVCgQaMBgw CgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEwggHgBgNVHREEggHXMIIB04IPaGlnaHRy dXN0ZWQuY29tghZjYXJsb3MuaGlnaHRydXN0ZWQuY29tghVvaXN0ZS5oaWdodHJ1 c3RlZC5jb22CF3dpc2VrZXkuaGlnaHRydXN0ZWQuY29tghx3aXNla2V5bGliZXIu aGlnaHRydXN0ZWQuY29tghNzaXAuaGlnaHRydXN0ZWQuY29tghN3d3cuaGlnaHRy dXN0ZWQuY29tghhiaWd0cnVzdC5oaWdodHJ1c3RlZC5jb22CFndpc2VpZC5oaWdo dHJ1c3RlZC5jb22CF3dpc2ZhbnMuaGlnaHRydXN0ZWQuY29tghd3aXNlcGF5Lmhp Z2h0cnVzdGVkLmNvbYITY2ExLmhpZ2h0cnVzdGVkLmNvbYISd3MuaGlnaHRydXN0 ZWQuY29tghhzZXJ2aWNlcy5oaWdodHJ1c3RlZC5jb22CFG1haWwuaGlnaHRydXN0 ZWQuY29tghJ3YS5oaWdodHJ1c3RlZC5jb22CE3Nzby5oaWdodHJ1c3RlZC5jb22C FGF1dGguaGlnaHRydXN0ZWQuY29tghl3aXNlcGhvbmUuaGlnaHRydXN0ZWQuY29t ghltZXNzZW5nZXIuaGlnaHRydXN0ZWQuY29tMA4GA1UdDwEB/wQEAwIEsDARBglg hkgBhvhCAQEEBAMCAMAwDQYJKoZIhvcNAQEFBQADggEBAAWyChyBnIc/cQyXTF1i tgSz3m1HRY+fEpiN+rva72IRD9UpAbgvdeZLA22NBYMoFkm3C2Fjk1V10WEPPKRz QlGZjcBO695m7tO+sPZ6OYvj/f+UgSkrAqXNd/xGOJ0OxgbjM3062RueNZYRBAvA uxqPkvxgRYoOzntyejFbWn4YQ+pmjHhk+TJAyi6mpk3SG3RV+J8/+k1ncqxcaqnd 0KV9oENApdNDxfWLtEM8NaGjy9zpeO1Kp6fL9FB7MasDTroAVvm/5wV+xg3XuOm8 q4CXdAKCZcP9SX5qY/KdEcjp/XvJ5CJyFZSARILniEdbJdRDvriHzkjNHLRO0ZdF 3GM= -----END CERTIFICATE----- Cheers, David Keeler
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
