Le vendredi 20 juin 2014 01:20:56 UTC+2, Kathleen Wilson a écrit : > China Financial Certification Authority (CFCA) has applied to include > the "CFCA GT CA" and "CFCA EV ROOT" root certificates, turn on all three > trust bits for the "CFCA GT CA" root certificate, turn on the websites > trust bit for the "CFCA EV ROOT" root certificate, and enable EV > treatment for the "CFCA EV ROOT" certificate. [...]
Under "CFCA GT CA" root: https://cs.cfca.com.cn/cgi-bin/ - subscriber certificate doesn't contain the mandatory SAN extension (CABF BR section 9.2.1) - MIME type of AIA:caIssuers URI is invalid ("text/plain") - MIME type of CRLDP URI is invalid ("text/plain") - CRL obtained by the CRLDP keeps the same CRLNumber value (1) while its lastUpdate changes; this is forbidden by X.509/RFC5280 Duplicate issuer+serial number found for the issuing CA (CN=CFCA OCA2). One certificate (sha256WithRSA-signed, expiration in 2032) is sent by the test web server, the other (sha1WithRSA-signed, expiration in 2026) is obtained by the AIA:caIssuer extension, both have the same information including the serial number (0x29ad8db84e). This is forbidden by X.509/RFC5280. MIME type of CRLDP URI of this intermediate certificate is also invalid. OCSP responder behind http://ocsp.cfca.com.cn/ocsp, when validating the subscriber certificate, has a 1024 bits key and is valid for 5 years (and a useless CRLDP extension). OCSP responder behind http://ocsp.cfca.com.cn/ocsp, when validating the intermediate certificate, has the same problems. There's no trace of a report by a Qualified Auditor about the generation of this root key (see CABF BR section 17.7), this is mandatory for keys generated after 1 July 2012. Under "CFCA EV ROOT" root: https://pub.cebnet.com.cn - subscriber certificate doesn't contain the mandatory SAN extension (CABF BR section 9.2.1) - MIME type of AIA:caIssuers URI is invalid ("text/plain") - MIME type of CRLDP URI is invalid ("text/plain") - CRL obtained by the CRLDP keeps the same CRLNumber value (1) while its lastUpdate changes; this is forbidden by X.509/RFC5280 MIME type of CRLDP URI of the intermediate certificate is also invalid. OCSP responder behind http://ocsp.cfca.com.cn/ocsp, when validating the subscriber certificate, has a 1024 bits key for a 5 years validity (and a useless CRLDP extension). OCSP responder behind http://ocsp.cfca.com.cn/ocsp, when validating the intermediate certificate, has the same problems. There's no trace of a report by a Qualified Auditor about the generation of this root key (see CABF BR section 17.7), this is mandatory for keys generated after 1 July 2012. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
