Wayne Thayer於 2018年7月14日星期六 UTC+8上午1時16分58秒寫道: > > In effect, this is saying that CAs should be permitted to break > well-defined rules when they find them inconvenient. This is the second > example in which Chunghwa Telecom has argued that it's okay to do this > (along with the Taiwan State/Locality issue). While I can sympathize with > Chunghwa Telecom's reason for doing this, it is quite troubling because it > implies that Chunghwa Telecom may be willing to ignore any of the rules > they disagree with. > > I disagree that the discussion string referenced above did not reach a > conclusion. A number of interoperability concerns were raised, causing the > proposal to be rejected. By violating RFC 5280 in this manner, Chunghwa > Telecom has created an additional burden and risk for Mozilla by expecting > our software to accommodate non-standards-compliant certificates.
Dear Wayne, We used automated tools (base on zlint, x509lint)to check all to be signed SSL certificates from June 22, 2018. So there will be no SSL certificates of those two issues in the future. Our vetting person had checked the mainstream browsers such as Firefox before RA Officer approved the certificate Request of crt.sh ID 336874396. There are no issue for longer than 64 characters of OU in Firefox such as https://mail.gov.vc/. He just asked me to help to express his thought for discussion. Sincerely Yours, Li-Chun _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
