Dear Ryan, we will translate the Excel table into English and will upload it to the discussion thread today. It may be helpful for other CAs to learn from this issue and to help others prevent them from becoming a victim of a similar incident. Best Regards, Sándor Dr. Sándor SZŐKE dep. Director of eIDAS Trust Services
Microsec Ltd. | Ángel Sanz Briz Road 13. Budapest, H-1033 Hungary Graphisoft Park Southern Area, Building C, 3th floor T: +36 1 802-4418 | +36 1 505-4477 / 488 <mailto:[email protected]> [email protected] microsec.com -----Original Message----- From: Ryan Sleevi <[email protected]> Sent: Tuesday, March 31, 2020 11:57 PM To: Sándor dr. Szőke <[email protected]> Cc: mozilla-dev-security-policy <[email protected]> Subject: Re: Microsec: Issuance of 2 IVCP precertificates without givenName, surName, localityName fields On Tue, Mar 31, 2020 at 4:46 PM Sándor dr. Szőke via dev-security-policy < <mailto:[email protected]> [email protected]> wrote: > > > > - Microsec will review the CA software looking for possible similar > > problems - deadline 2020-03-31 > > > Microsec has completed a detailed review of the automatic controls built into > the CA software. The review covered all SSL/TLS certificate types and focused > on the presence of required fields in the Subject DN. > > Microsec first created a table with all possible Subject DN fields based on > the current version of the CABF BR, EVG, and Microsec CPS documents. The > following certification policies are included in the table: DVCP, IVCP, OVCP, > EVCP/QWAC, EVCP/PSD2. Microsec has collected rules for each field and policy > combination, which may include: > mandatory > forbidden > optional Do you plan to share the analysis? I think saying "We compiled X" isn't nearly as useful to the community as "We analyzed X, here's what we concluded, we're looking for feedback and/or sharing for wider review" This broadly fits into the picture of <https://groups.google.com/d/msg/mozilla.dev.security.policy/oP8XuNXrANw/oIYt70IiAAAJ> https://groups.google.com/d/msg/mozilla.dev.security.policy/oP8XuNXrANw/oIYt70IiAAAJ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
