RFC 5280 section 4.1.2.2 says: > Conforming CAs MUST NOT use serialNumber values longer than 20 octets.
There are two CAs that appear to misissue certificates with serial numbers that are longer than 20 octets on an ongoing basis: - Certinomis - TI Trust Technologies (chains up to a Baltimore/DigiCert root) Here is a list of 40 certificates with this error: https://misissued.com/batch/2/ Jonathan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy