I wouldn't mind if "Test 1) Browse to https://crt.sh/"; was made a
suggestion rather than a requirement.
https://cert-checker.allizom.org/ can already accept and "run certlint"
on a user-submitted certificate. Could a "run cablint" button be added too?
Also, could this tool be run from mozilla.org (just so that people who
don't read backwards will realize that it's operated by CA-neutral
Mozilla ;-) ) ?
I think the important points are:
- The CA MUST check that they are not issuing certs that violate any
of the BRs.
- Mozilla WILL check that the CA is not issuing certs that violate
any of the BRs.
If a CA doesn't get a clean bill of health when Mozilla do their checks,
then it's that CA's fault for not using the available tools. :-)
On 10/02/16 23:50, Jeremy Rowley wrote:
I don't think we should have to use a competitor's product to evaluate this.
Are we permitted to set up our own instance of this using the open source to
do the testing? There should be that option considering IP rights have not
been freely granted on all this software.
-----Original Message-----
From: dev-security-policy
[mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla
.org] On Behalf Of Kathleen Wilson
Sent: Monday, February 8, 2016 1:18 PM
To: [email protected]
Subject: New requirement: certlint testing
All,
We recently added two tests that CAs must perform and resolve errors for
when they are requesting to enable the Websites trust bit for their root
certificate.
Test 1) Browse to https://crt.sh/ and enter the SHA-1 Fingerprint for the
root certificate. Then click on the 'Search' button. Then click on the 'Run
cablint' link. All errors must be resolved/fixed.
Test 2) Browse to https://cert-checker.allizom.org/ and enter the test
website and click on the 'Browse' button to provide the PEM file for the
root certificate. Then click on 'run certlint'. All errors must be
resolved/fixed.
I added these to item #15 of
https://wiki.mozilla.org/CA:Information_checklist#Technical_information_abou
t_each_root_certificate
This has sparked some discussions in Bugzilla Bugs that I think we should
move here to mozilla.dev.security.policy so that everyone may benefit from
the resulting decisions.
So, if you have feedback or questions about these new tests, please add them
here.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
