> That sounds reasonable to me, so I updated the wiki page... > > https://wiki.mozilla.org/CA:Information_checklist#Technical_information_about_each_root_certificate > "" 15. Test!!! > .... > - The CA MUST check that they are not issuing certificates that violate > any of the CA/Browser Forum Baseline Requirements (BRs). Mozilla WILL > check that the CA is not issuing certificates that violate any of the > BRs by performing the following tests. > -- CA/Browser Forum Compliance: Browse to https://crt.sh/ and enter the > SHA-1 Fingerprint for the root certificate. Then click on the 'Search' > button. Then click on the 'Run cablint' link. All errors must be > resolved/fixed. Warnings should also be either resolved or explained. > -- Cert chain of test website: Browse to > https://cert-checker.allizom.org/ and enter the test website and click > on the 'Browse' button to provide the PEM file for the root certificate. > Then click on 'run certlint'. All errors must be resolved/fixed. > Warnings should also be either resolved or explained. > .... > "" > > Thanks, > Kathleen
Regarding this point, how will be addressed the issue about AdministrativeID (directoryName) in SAN of electronic offices? As it has been said, all Spanishs CAs are issuing certs in this way in order to comply with all applicable law related to eGovernment and identification of eOffices. As stating at section 8 of BRs they are oblied to do so. It should be an exception to support this special feature. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
