On Sun, 26 Jan 2020 01:59:33 -0800 (PST) Ian Carroll via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> These certificates expired in 2019 and are thus no longer a problem, > but they were actively used by the customer (e.infinityspeakers.com > still serves one of them) and it does not appear anyone has noticed. I guess this is the most relevant part here. Noone has noticed. I see that a lot of people are having fun pointing out these issues again and again to show how sloppy CAs work. Which is fine I guess, but it leads to the question what the point of all this is. Maybe it's time to change the WebPKI rules to reflect that - either say "any information in a certificate that is not the CN/SAN is yolo and can be whatever and web clients should make sure they never display that informaiton" or "any useless extra information should be skipped". Let's be honest: There are two reasons these extra fields exist in the first place, and no good one. One reason is they are legacy baggage from the X.509 standard. If we'd rewrite the webpki today we wouldn't have such fields. The other is that they are upselling features where CAs can create the illusion that there are more or less valuable certificates. -- Hanno Böck https://hboeck.de/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy