Bonjour, Le mardi 9 février 2016 10:47:16 UTC+1, Jesus F a écrit : > Dear all, > > As A-Trust request EV treatment, I checked the EV issued certificates from > a-sign-SSL-EV-05 subordinate in ctr.sh > (https://crt.sh/?Identity=%25&iCAID=6096) > > ALL of them states in businessCategory the following text "V1.0, Clause > 5.(X)". This text is similar to what permitted by EV guidelines version 1.2 > and prior, although "X" should have been "b", "c", "d" or "e" depending upon > whether the Subject qualifies in the permitted categories. This text is not > permitted since EV guidelines version 1.3 published in 2010. > > As the EV audit conducted by E&Y states A-trust is in compliance with > "WebTrust Principles and Criteria for Certification Authorities - Extended > Validation SSL - Version 1.4.5" that is based on CA/Browser Forum Guidelines > for the Issuance and Management of Extended Validation SSL Certificates - > Version 1.4.5 and it's obvious that the auditor failed to detect this very > basic issue, can we, the Mozilla Community, be reasonably assured of any of > the auditor's necessary checks? > > In addition there are several more issues in this certificates: > > - rfc822Name in SAN (https://crt.sh/?id=8889537&opt=cablint, > https://crt.sh/?id=8889537&opt=cablint) > - FATAL: ASN.1 Error in EmailAddress > (https://crt.sh/?id=12491213&opt=cablint, > https://crt.sh/?id=9410992&opt=cablint) > - This cert has the following errors: Cert without subject alternative names > extension, Cert of 1024 bits (https://crt.sh/?id=8935972&opt=cablint)
Without saying that the audit was perfect, but all the presented evidences here have been produced after the audit was performed. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
