Dear all, As A-Trust request EV treatment, I checked the EV issued certificates from a-sign-SSL-EV-05 subordinate in ctr.sh (https://crt.sh/?Identity=%25&iCAID=6096)
ALL of them states in businessCategory the following text "V1.0, Clause 5.(X)". This text is similar to what permitted by EV guidelines version 1.2 and prior, although "X" should have been "b", "c", "d" or "e" depending upon whether the Subject qualifies in the permitted categories. This text is not permitted since EV guidelines version 1.3 published in 2010. As the EV audit conducted by E&Y states A-trust is in compliance with "WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL - Version 1.4.5" that is based on CA/Browser Forum Guidelines for the Issuance and Management of Extended Validation SSL Certificates - Version 1.4.5 and it's obvious that the auditor failed to detect this very basic issue, can we, the Mozilla Community, be reasonably assured of any of the auditor's necessary checks? In addition there are several more issues in this certificates: - rfc822Name in SAN (https://crt.sh/?id=8889537&opt=cablint, https://crt.sh/?id=8889537&opt=cablint) - FATAL: ASN.1 Error in EmailAddress (https://crt.sh/?id=12491213&opt=cablint, https://crt.sh/?id=9410992&opt=cablint) - This cert has the following errors: Cert without subject alternative names extension, Cert of 1024 bits (https://crt.sh/?id=8935972&opt=cablint) Best, J _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
