On 6/21/16 8:26 AM, Rob Stradling wrote:
On 21/06/16 15:55, Ben Wilson wrote:
Rob,
Ben, thanks for passing on the details. My analysis is below...
So far they are -
https://crt.sh/?sha1=e12ba5aeb7613a72cc9652f1673017a5d8fc7479
- technically constrained warning
https://crt.sh/?sha1=8c6c7a20b48ef3bcb0fcb203008773846611486a
- technically constrained warning
https://crt.sh/?sha1=69bdbd7760f0fc58021c290c39243351914dadc5
- technically constrained warning
https://crt.sh/?sha1=107cce8b25af9b6cfabada125967aed4ef5bafe2
- technically constrained warning
Section 9 of the Inclusion Policy [1] says:
"For a certificate to be considered technically constrained
...
The subordinate CA certificate MUST also include within
excludedSubtrees an iPAddress GeneralName of 32 zero octets
(covering the IPv6 address range of ::0/0)."
These four intermediate certs only exclude the IPv4 address space, so I
would say that they don't qualify as "technically constrained".
Therefore, they need to be disclosed to Salesforce.
Kathleen, if you agree that Salesforce should not be showing the
"technically constrained warning" for these four intermediates, please
could you ask your Salesforce consultant to fix it?
I will look into this to see if the PEM->JSON tool (provided by David
Keeler) needs to be updated to take this into account.
https://crt.sh/?sha1=d92b8d4859538692e435ad78dd876b03601eae96
- PEM too long
https://crt.sh/?sha1=3948a71e4b39768a016fa3b13175e41197f8bf28
- PEM too long
Kathleen, what's the size limit? Can it be increased?
Size limit for PEM is 7,500 characters.
The two certs listed above have PEM character count greater than 29,800.
Hopefully there are not a lot of intermediate certs that have PEM data
that is larger than 7500 characters. So, I think those are exceptional
cases that can be handled by entering the data manually (rather than
supplying the PEM).
If there are no objections to this approach, then I will ask my
consultant to update the error to indicate that the cert's data should
be entered by hand when the PEM is too long, and I will also update the
CA:SalesforceCommunity wiki page with this info.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy