On 2016-09-01 14:21, Matt Palmer wrote:
On Thu, Sep 01, 2016 at 10:53:36AM +0300, Eddy Nigg wrote:
On 09/01/2016 04:20 AM, Matt Palmer wrote:
You were knowingly violating a MUST provision of RFC5280.
From experience there have been many RFC violations, sometimes even
knowingly and intentionally by software vendors (browsers), certificate
authorities and even policy writers such as CAB Forum.
"They did it too" is not a persuasive argument coming from my
four-year-olds. It is no more persuasive coming from a Certification
Authority.
In the interests of the community being fully informed of StartCom's
compliance with the standards which underlie the integrity of the web PKI,
I'll ask the question again: what *other* MUST provisions of RFC5280, the
CA/B Forum BRs, and other relevant specifications and guidance relevant to
the operation of a Certification Authority present in the Mozilla trust
store, is StartCom currently not in compliance with? Have your auditors
proactively been made aware of these deficiencies?
I can actually give an example of that. If the certificate is
individual-validated, they have a givenName, surname, localityName and
stateOrProvinceName, but no organizationName. This is actually a
violation of the BR requirements. The BR requirements says that it
should either also have an organizationName, or the localityName and
stateOrProvinceName should be removed. So one option is to replace the
givenName and surname by an organizationName. But I think this is just
a case where the BRs are wrong and should get fixed. There has at least
been some discussion about that, but the change still isn't approved.
Kurt
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
