Re: Intermediate certificate disclosure deadline in 2 weeks

Fri, 24 Jun 2016 16:20:12 -0700 

On 6/21/16 8:26 AM, Rob Stradling wrote:

On 21/06/16 15:55, Ben Wilson wrote:

Rob,


Ben, thanks for passing on the details.  My analysis is below...


So far they are -

https://crt.sh/?sha1=e12ba5aeb7613a72cc9652f1673017a5d8fc7479
  - technically constrained  warning

https://crt.sh/?sha1=8c6c7a20b48ef3bcb0fcb203008773846611486a
  - technically constrained  warning

https://crt.sh/?sha1=69bdbd7760f0fc58021c290c39243351914dadc5
  - technically constrained  warning

https://crt.sh/?sha1=107cce8b25af9b6cfabada125967aed4ef5bafe2
  - technically constrained  warning


Section 9 of the Inclusion Policy [1] says:
  "For a certificate to be considered technically constrained
   ...
   The subordinate CA certificate MUST also include within
   excludedSubtrees an iPAddress GeneralName of 32 zero octets
   (covering the IPv6 address range of ::0/0)."

These four intermediate certs only exclude the IPv4 address space, so I
would say that they don't qualify as "technically constrained".
Therefore, they need to be disclosed to Salesforce.

Kathleen, if you agree that Salesforce should not be showing the
"technically constrained warning" for these four intermediates, please
could you ask your Salesforce consultant to fix it?




I will look into this to see if the PEM->JSON tool (provided by David 
Keeler) needs to be updated to take this into account.






https://crt.sh/?sha1=d92b8d4859538692e435ad78dd876b03601eae96
  - PEM too long

https://crt.sh/?sha1=3948a71e4b39768a016fa3b13175e41197f8bf28
  - PEM too long


Kathleen, what's the size limit?  Can it be increased?



Size limit for PEM is 7,500 characters.


The two certs listed above have PEM character count greater than 29,800. 
Hopefully there are not a lot of intermediate certs that have PEM data 
that is larger than 7500 characters. So, I think those are exceptional 
cases that can be handled by entering the data manually (rather than 
supplying the PEM).



If there are no objections to this approach, then I will ask my 
consultant to update the error to indicate that the cert's data should 
be entered by hand when the PEM is too long, and I will also update the 
CA:SalesforceCommunity wiki page with this info.


Thanks,
Kathleen


_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


























					Reply via email to