On 5/20/14, 10:03 AM, Kurt Roeckx wrote:
I've been working on checking that certificates made by the CAs
are following requirements, and how it changes over time. You can
see the results at:
http://www.roeckx.be/certificates/
Kurt
Kurt, Great work! Thank you for sharing this analysis!
> Conclusions
> Some of CA/Browser forum baseline requirements seems to be getting
> adopted good, but there are still some certificates generated that
> don't follow the requirements. Other requirements don't seem to get
> adopted. Those that don't get adopted seem to have to do with things
> about the CA itself and not with subject of the certificates.
Maybe we should re-visit the idea of a "wall of shame", and publicly
list the CAs who are still issuing certificates with the following
problems.
* No Subject alternative name extension
* Fails decoding the character set
* Contains control characters
* Certificate not version 3
* Long-lived certs (beyond what BRs allow)
> There is a surprising amount of long lived certificates.
> This results in it taking a long time to get those
> requirements adopted.
Yep. Long-lived certs are definitely a problem.
It's also impeded phasing out 1024-bit certs.
> News
> May 2013: I've been contacting CAs about the missing subject
> alternative name extension, since I think that's currently the
> biggest problem. Hopefully we'll see things improve over time.
Thank you for doing that! How has it been going?
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
