On Thu, Dec 10, 2015 at 6:07 AM, Matthias Hunstock <[email protected]> wrote: > Am 09.12.2015 um 18:46 schrieb Peter Bowen: > >> Do you have an example where you think IPv6 addresses are not being >> handled correctly? > > Serial 19D70E1B381579 in your document is the example I stumbled upon. > > I managed to get the complete cert from the server and cannot see any > issues there. > > It is flagged as "_unqualified" though it has a global unicast IPv6 > address, beside other SubjectAlternativeNames.
You are correct. There is a logic bug and it is flagging properly encoded ipv6 addresses in the SAN as unqualified. There are 9 certificates in CT that have IPv6 addresses. Apologies for this. I will get the tool updated to ensure that IPv6 addresses do not cause a flag. For now, however, please ignore any "unqualified" result for a SAN:IP row. This rule should be impossible to hit for that data type. Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
