On 2/11/16 8:15 AM, Rob Stradling wrote:
I wouldn't mind if "Test 1) Browse to https://crt.sh/"; was made a
suggestion rather than a requirement.
https://cert-checker.allizom.org/ can already accept and "run certlint"
on a user-submitted certificate. Could a "run cablint" button be added
too?
Also, could this tool be run from mozilla.org (just so that people who
don't read backwards will realize that it's operated by CA-neutral
Mozilla ;-) ) ?
I think the important points are:
- The CA MUST check that they are not issuing certs that violate any
of the BRs.
- Mozilla WILL check that the CA is not issuing certs that violate
any of the BRs.
If a CA doesn't get a clean bill of health when Mozilla do their checks,
then it's that CA's fault for not using the available tools. :-)
That sounds reasonable to me, so I updated the wiki page...
https://wiki.mozilla.org/CA:Information_checklist#Technical_information_about_each_root_certificate
"" 15. Test!!!
....
- The CA MUST check that they are not issuing certificates that violate
any of the CA/Browser Forum Baseline Requirements (BRs). Mozilla WILL
check that the CA is not issuing certificates that violate any of the
BRs by performing the following tests.
-- CA/Browser Forum Compliance: Browse to https://crt.sh/ and enter the
SHA-1 Fingerprint for the root certificate. Then click on the 'Search'
button. Then click on the 'Run cablint' link. All errors must be
resolved/fixed. Warnings should also be either resolved or explained.
-- Cert chain of test website: Browse to
https://cert-checker.allizom.org/ and enter the test website and click
on the 'Browse' button to provide the PEM file for the root certificate.
Then click on 'run certlint'. All errors must be resolved/fixed.
Warnings should also be either resolved or explained.
....
""
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
