Ryan Sleevi <r...@sleevi.com> writes:

>Do you believe it’s still applicable in the Web PKI of the past decade?

Yes, the specific cert I referenced is current valid and passed WebTrust and
EV audits.

>If you could link to the crt.sh entry, that might be easier.

Here's the Microsoft one I mentioned:

  Microsoft RSA Root Certificate Authority 2017


There are numerous others.  This particular one isn't just a CA cert, it's a
root cert.

>It could be that you’re referencing the use of BMPString

I'm just quoting X509lint:

   ERROR: URL contains a null character

Given that this was exposed as a major security hole ten years ago, I was
surprised when someone notified me that these things exist, and that no-one
seems to have done anything about it.

dev-security-policy mailing list

Reply via email to