While it is very hard to validate the subject content of certificates outside of DNS names, there are a number of heuristics that may be useful to trigger a deeper check to ensure that the data is accurate.
A couple of these that I've found useful are: 1) If stateOrProvince or Locality type attributes contain a Number, this is a red flag. I've yet to find any verified legitimate case where this is correct 2) If any attribute, other than those of type postalCode or organizationalUnit, contains only a single character, this is also red flag. There could be valid cases, but they appear to be rare based on public data. I'm not adding these to cablint, as they are heuristics and there may be valid cases, but it is something all CAs should consider checking. Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
