On Tue, Nov 17, 2015 at 12:04 AM, Peter Bowen <pzbo...@gmail.com> wrote: > Inspired by Rob Stradling's work > (https://cabforum.org/pipermail/public/2015-November/006269.html), I > wrote a quick tool to check that commonNames and Subject Alternative > Names in server auth certificates issued by public CAs were following > the CA/Browser Forum baseline requirements. > > The resulting report of anomalies is available at > https://docs.google.com/spreadsheets/d/1lJt-1tkgKcbw5woEr4-tcpqB-M-HKwjFNSdX2jla2EU/edit?usp=sharing > > The rules are a rather strict interpretation of RFC 5280 and the > Baseline Requirements. Notably, it will complain if FQDNs are not > converted to ASCII (as defined in 7.2 and 7.3 of RFC 5280) and will > complain if there is an IP address flaged as a dNSName in a > Generalized Name. > > There are a couple of rules that may create false positives, so please > don't assume every certificate on the sheet is problematic.
I've updated the sheet based on the initial feedback. It is now properly encoded in UTF-8 and allows domain names with u-labels in CN attributes. It also properly excludes certificates which have an EKU list that does not include serverAuth. Please note the following important items: 1) The set of certificates checked includes certificates that were issued before the Baseline Requirements existed. Some specific requirements in the Baseline Requirements have effective dates well after the initial approval of the BRs. Readers need to determine the appropriate cut off date(s) for their usage of the data. 2) Several rules are not errors but are things that I flagged. These include the "_onion" and "_special_ipv4" rules. 3) Currently IPv4 addresses in DNS name SAN entries are considered to be errors. 4) The largest issue by far is inclusion of SAN types not allowed by the Baseline Requirements. According to section 7.1.4.2.1, only dNSName and iPAddress types of GeneralNames are allowed. I hope that this is useful data. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
