(Whoops, accidentally originally CC'd to m.d.s originally! Original mail was to IdenTrust)
Hi, The following certificates appear to be misissued: https://crt.sh/?id=77893170&opt=cablint https://crt.sh/?id=77947625&opt=cablint https://crt.sh/?id=78102129&opt=cablint https://crt.sh/?id=92235995&opt=cablint https://crt.sh/?id=92235998&opt=cablint All of these certificates have a pathLenConstraint value with CA:FALSE, this violates 4.2.1.9 of RFC 5280: CAs MUST NOT include the pathLenConstraint field unless the cA boolean is asserted and the key usage extension asserts the keyCertSign bit. Alex -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6 -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6 _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
