On 2/8/16 2:56 PM, Peter Bowen wrote:
On Mon, Feb 8, 2016 at 2:46 PM, Kathleen Wilson <[email protected]> wrote:
Note that I think there are still some things with the certlint tests that
need to be ironed out, before filing bugs for every reported error.
I am unaware of anything that is flagged as Fatal or Error on non-CA
certificates that is an open issue.
The one item on CA certificates that is a questionable Error is
whether a CA must have a commonName. I don't think Mozilla requires
such, so this should not be considered an error for Mozilla purposes.
Thanks,
Peter
(author of certlint)
FNMT is asking about one...
Test website: https://www.sede.fnmt.gob.es/certificados
Root Cert: http://www.cert.fnmt.es/certs/ACRAIZFNMTRCM.crt
Error
- BR certificates with organizationName must include either localityName
or stateOrProvinceName
- BR certificates may not contain DirName type alternative names
https://bugzilla.mozilla.org/show_bug.cgi?id=435736#c158
""
Also, regarding the error "BR certificates must not contain
directoryName type alternative name", it has been discussed yet at
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/7wIZmwp4qGQ.
As it was commented, our certificates are compliant with this
requirement as we set the Domain Name (there is at least a DNSName).
Also, in order to comply with all applicable law related to eGovernment
and identification of eOffices, administrative ID info must be set at
SAN extension. As stating at section 8 of BRs we are oblied to do so.
Even if you look at CABForum EV Guidelines (9.2.2), about Subject
Alternative Name it is just said:
"This extension MUST contain one or more host Domain Name(s) owned or
controlled by the Subject and to be associated with the Subject’s
server. Such server MAY be owned and operated by the Subject or another
entity (e.g., a hosting service). Wildcard certificates are not allowed
for EV Certificates.
You'll agree that this is a less restrictive assertion (and it's about
EV certificates wich are more sensitive and requirements are harder) and
it should be taken into account.
I suggest to change the error message to a warning in order to allow CAs
to explain its especial circumstances.
""
Should I file a github Issue?
(thanks for creating certlint!)
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
