Forwarding to the right (cert-related) group
-------- Forwarded Message -------- Subject: Misissued certificates - pathLenConstraint with CA:FALSE Date: Wed, 9 Aug 2017 19:25:31 -0400 From: Alex Gaynor <alex.gay...@gmail.com> To: helpd...@identrust.com, dev-secur...@lists.mozilla.org <dev-secur...@lists.mozilla.org> Hi, The following certificates appear to be misissued: https://crt.sh/?id=77893170&opt=cablint https://crt.sh/?id=77947625&opt=cablint https://crt.sh/?id=78102129&opt=cablint https://crt.sh/?id=92235995&opt=cablint https://crt.sh/?id=92235998&opt=cablint All of these certificates have a pathLenConstraint value with CA:FALSE, this violates 4.2.1.9 of RFC 5280: CAs MUST NOT include the pathLenConstraint field unless the cA boolean is asserted and the key usage extension asserts the keyCertSign bit. Alex -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6 _______________________________________________ dev-security mailing list dev-secur...@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy