Wayne recommended that we open up a Mozilla incident ticket to track the 8 GlobalSign certificates of that do not contain the required null a parameter and thus violate the requirements of https://tools.ietf.org/html/rfc3279#section-2.3.1.
https://bugzilla.mozilla.org/show_bug.cgi?id=1554259 Hopefully the other CAs will also open up tickets and provide their analysis of how this happened so we can all learn how to avoid problems like this in the future. Initial analysis is that we accept the CSR and pass along the parameter (or not) and that this specific field is not flagged during the validation process, nor "fixed" by EJBCA when the certificate is issued. We're currently looking at our options for solving this. Doug -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Ryan Sleevi via dev-security-policy Sent: Friday, May 24, 2019 4:39 AM To: Brian Smith <br...@briansmith.org> Cc: Ryan Sleevi <r...@sleevi.com>; mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org>; Wayne Thayer <wtha...@mozilla.com> Subject: Re: Policy 2.7 Proposal: Clarify Section 5.1 ECDSA Curve-Hash Requirements On Wed, May 22, 2019 at 7:43 PM Brian Smith <br...@briansmith.org> wrote: > Ryan Sleevi <r...@sleevi.com> wrote: > >> >> >>> It would be easier to understand if this is true if the proposed >>> text cited the RFCs, like RFC 4055, that actually impose the >>> requirements that result in the given encodings. >>> >> >> Could you clarify, do you just mean adding references to each of the >> example encodings (such as the above example, for the SPKI encoding)? >> > > Exactly. That way, it is clear that the given encodings are not > imposing a new requirement, and it would be clear which standard is > being used to determine to correct encoding. > Thanks, did that in https://github.com/sleevi/pkipolicy/commit/80da8acded63618a058d26c73db1e2438 a6df9ed > > I realize that determining the encoding from each of these cited specs > would require understanding more specifications, including in > particular how ASN.1 DER requires DEFAULT values to be encoded. I > would advise against calling out all of these details individually > less people get confused by inevitable omissions. > Hopefully struck the right balance. These changes are now reflected in the PR at https://github.com/mozilla/pkipolicy/pull/183 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy