On Mon, Feb 8, 2016 at 3:12 PM, Kathleen Wilson <kwil...@mozilla.com> wrote: > On 2/8/16 2:56 PM, Peter Bowen wrote: >> >> On Mon, Feb 8, 2016 at 2:46 PM, Kathleen Wilson <kwil...@mozilla.com> >> wrote: >>> >>> >>> Note that I think there are still some things with the certlint tests >>> that >>> need to be ironed out, before filing bugs for every reported error. >> >> >> I am unaware of anything that is flagged as Fatal or Error on non-CA >> certificates that is an open issue. >> >> The one item on CA certificates that is a questionable Error is >> whether a CA must have a commonName. I don't think Mozilla requires >> such, so this should not be considered an error for Mozilla purposes. >> >> Thanks, >> Peter >> >> (author of certlint) >> > > > FNMT is asking about one... > > Test website: https://www.sede.fnmt.gob.es/certificados > Root Cert: http://www.cert.fnmt.es/certs/ACRAIZFNMTRCM.crt > Error > - BR certificates with organizationName must include either localityName or > stateOrProvinceName > - BR certificates may not contain DirName type alternative names > > https://bugzilla.mozilla.org/show_bug.cgi?id=435736#c158 > "" > Also, regarding the error "BR certificates must not contain directoryName > type alternative name", it has been discussed yet at > https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/7wIZmwp4qGQ. > > As it was commented, our certificates are compliant with this requirement as > we set the Domain Name (there is at least a DNSName). Also, in order to > comply with all applicable law related to eGovernment and identification of > eOffices, administrative ID info must be set at SAN extension. As stating at > section 8 of BRs we are oblied to do so. > > Even if you look at CABForum EV Guidelines (9.2.2), about Subject > Alternative Name it is just said: > "This extension MUST contain one or more host Domain Name(s) owned or > controlled by the Subject and to be associated with the Subject’s server. > Such server MAY be owned and operated by the Subject or another entity > (e.g., a hosting service). Wildcard certificates are not allowed for EV > Certificates. > > You'll agree that this is a less restrictive assertion (and it's about EV > certificates wich are more sensitive and requirements are harder) and it > should be taken into account. > > I suggest to change the error message to a warning in order to allow CAs to > explain its especial circumstances. > ""
There are two different issues here. However it is important to note for both that the certificate in question is not an EV certificate, so the EV Guidelines do not apply. For the first, the BRs say: Certificate Field: subject:localityName (OID: 2.5.4.7) Required if the subject:organizationName field is present and the subject:stateOrProvinceName field is absent. Certificate Field: subject:stateOrProvinceName (OID: 2.5.4.8) Required if the subject:organizationName field is present and subject:localityName field is absent. So you clearly must include at least one or the other. For the second, the Baseline Requirements are very clear: "Each entry MUST be either a dNSName containing the Fully‐Qualified Domain Name or an iPAddress containing the IP address of a server." dirName is neither a dNSName nor an iPAddress. Therefore the requirement is not met. It may be that Mozilla wants to consider an audit qualification that says that including Directory Names is acceptable, but it does not meet the current Baseline Requirements. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
