Le dimanche 15 mars 2015 01:59:10 UTC+1, Peter Bowen a écrit : > I've been trying to figure out what is required, forbidden, and > optional for X.509 certificates that conform to the Mozilla > requirements. It isn't all that easy given the indirection in the > requirements (you need at least the CA/Browser Forum Baseline > Requirements, RFC 5280, RFC 4519, and probably some other 451x RFCs). > > I've generated two sample chains (including the roots). > > https://gist.github.com/anonymous/7bfeaeea344f0ea8b5a8 (Root with RSA key) > https://gist.github.com/anonymous/868ee4381d059f26e675 (Root with EC key) > > Does anyone see any issues with any of the certificates in these chains? > > Thanks, > Peter
The "Internet Authority 1A" CA has no countryName attribute, it is mandatory. The "Eggman Root CA 2" CA has no countryName and no organizationName attributes, they are both mandatory. The "Eggman Internet Authority" CA has no countryName attribute, and no CertificatePolicies extension, both are mandatory. The "www.example.org" ECC certificate has no AIA:OCSP extension, this is only valid if the OCSP status is stapled to the TLS handshake. I personally consider this highly suspicious for the moment. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy