The "AC FNMT Usuarios” intermediate operated by the Government of Spain,
Fábrica Nacional de Moneda y Timbre (FNMT) issues certificates that are not
BR-compliant. This was acknowledged during the FNMT root inclusion request
discussion and allowed as long as the intermediate "never issues TLS/SSL
Recently, some certificates issued from this intermediate were logged to CT, so
we can see what they look like.
While they do not contain dnsName SANs, they do contain the anyExtendedKeyUsage
EKU which makes them technically usable for TLS server authentication and in
scope for the Mozilla Root Store Policy.
Additionally, I was able to find one of these certificates served from a TLS
server in Censys.
This is information that does not appear to have been available at the time of
the root inclusion discussion last year, so I thought I’d point it out.
dev-security-policy mailing list