On 2/8/16 12:22 PM, Kathleen Wilson wrote:
On 2/8/16 12:18 PM, Kathleen Wilson wrote:
All,
We recently added two tests that CAs must perform and resolve errors for
when they are requesting to enable the Websites trust bit for their root
certificate.
Test 1) Browse to https://crt.sh/ and enter the SHA-1 Fingerprint for
the root certificate. Then click on the 'Search' button. Then click on
the 'Run cablint' link. All errors must be resolved/fixed.
Test 2) Browse to https://cert-checker.allizom.org/ and enter the test
website and click on the 'Browse' button to provide the PEM file for the
root certificate. Then click on 'run certlint'. All errors must be
resolved/fixed.
I added these to item #15 of
https://wiki.mozilla.org/CA:Information_checklist#Technical_information_about_each_root_certificate
This has sparked some discussions in Bugzilla Bugs that I think we
should move here to mozilla.dev.security.policy so that everyone may
benefit from the resulting decisions.
So, if you have feedback or questions about these new tests, please add
them here.
Thanks,
Kathleen
Also, to clarify...
Already-included root certificates are grandfathered in, but all new
root certificates need to meet the BRs and pass these certlint tests
without error before they can be included. However, we are open to
updating the certlint tests, as long as the updates are in line with the
BRs.
Kathleen
One topic currently under discussion in Bug #1201423 is regarding root
certificates with serial number of 0. The error being returned by
http://cert-checker.allizom.org/ is "Serial number must be positive".
Arguments raised in the bug:
>>> RFC 5280 is not ambiguous as to whether zero is positive or not.
>>> https://tools.ietf.org/html/rfc5280#section-4.2.1.10
>>> Note: Non-conforming CAs may issue certificates with serial numbers
>>> that are negative or zero. Certificate users SHOULD be prepared to
>>> gracefully handle such certificates.
>>> So zero is clearly non-conforming.
>> The whole RFC5280 section 4.1 refers to the information associated
with the
>> subject of the certificate and the CA that issued it. This is not a
>> certificate issued by a CA, it is a self-signed certificate, which
is the
>> trust-anchor itself.
> We believe that this section applies to issued certificates.
> Quoting the beginning of the section:
> The sequence TBSCertificate contains information associated with the
> subject of the certificate and the CA that issued it.
>
> Thus, it only applies to certificates issued by a CA, and not to the CA
> itself.
Does section 4.1 of RFC5280 apply to root certificates?
Is a root certificate with serial number 00 compliant with RFC5280 and
the BRs?
As always, I will appreciate your thoughtful and constructive
contributions to this discussion.
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
