Hi Erwann, Thanks for your review. You raise some valid points.
It is clear that the SAN should only contain a dNSName or iPAddress. We will alter the test certificates accordingly ASAP. The OCSP concerns are under investigation. We will share the results as they become available. Thanks. Kind regards, Douglas Skirving Chain Administrator PKIoverheid ........................................................................ -----Oorspronkelijk bericht----- Van: dev-security-policy [mailto:dev-security-policy-bounces+douglas.skirving=logius...@lists.mozilla.org] Namens Erwann Abalea Verzonden: woensdag 29 oktober 2014 23:19 Aan: mozilla-dev-security-pol...@lists.mozilla.org Onderwerp: Re: Staat der Nederlanden Root Renewal Request Le jeudi 23 octobre 2014 20:51:40 UTC+2, Kathleen Wilson a écrit : > Staat der Nederlanden has applied to include the "Staat der > Nederlanden Root CA - G3" and "Staat der Nederlanden EV Root CA" root > certificates; turn on the Websites and Email trust bits for the "Staat > der Nederlanden Root CA - G3" root; turn on the Websites trust bit for > the "Staat der Nederlanden EV Root CA"; and enable EV treatment for > the "Staat der Nederlanden EV Root CA" root. The "Staat der Nederlanden Root > CA - G3" > root will eventually replace the first and second generations of this > root that were included via Bugzilla Bug #243424 and Bug #436056. [...] > * EV Policy OID: 2.16.528.1.1003.1.2.7 > > * Root Cert URLs > http://cert.pkioverheid.nl/RootCA-G3.cer > http://cert.pkioverheid.nl/EVRootCA.cer > > * Test Websites > https://roottest-g3.pkioverheid.nl The subscriber certificate has a UPN entry type in the SAN extension. This is not accepted under BR (see 9.2.1, "[...] Each entry MUST be either a dNSName containing the Fully-Qualified Domain Name or an iPAddress containing the IP address of a server. [...]"). > https://pkioevssl-v.quovadisglobal.com/ This subscriber certificate has also a UPN entry in the SAN. > * CRL > http://crl.pkioverheid.nl/RootLatestCRL-G3.crl > http://crl.pkioverheid.nl/DomOrganisatieServicesLatestCRL-G3.crl > http://crl.pkioverheid.nl/DomOrganisatiePersoonLatestCRL-G3.crl > http://crl.pkioverheid.nl/DomBurgerLatestCRL-G3.crl > http://crl.pkioverheid.nl/DomAutonomeApparatenLatestCRL-G3.crl > http://cert.managedpki.com/crl/KPNCorporateMarketCSPOrganisatieServicesCAG3/LatestCRL.crl > > http://crl.pkioverheid.nl/EVRootLatestCRL.crl > http://crl.pkioverheid.nl/EVIntermediairLatestCRL.crl > http://crl.quovadisglobal.com/pkioevca.crl > > * OCSP > http://rootocsp-g3.pkioverheid.nl > http://domorganisatieservicesocsp-g3.pkioverheid.nl > http://ocsp3.managedpki.com > http://evrootocsp.pkioverheid.nl > http://ocsp.pkioverheid.nl > http://ocsp.quovadisglobal.com OCSP services are OK, but: - the ones hosted at *.pkioverheid.nl return a response bigger than necessary (the whole certificate chain including the root) - the one at ocsp.quovadisglobal.com returns wrongly formatted "Expires" and "Last-Modified" HTTP headers (see RFC2616 3.3.1) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ________________________________ Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. . _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy