We tested IE6/IE7/IE8 on XP sp3, and IE10/IE11 on Windows 8, all support. Firefox 3.6.3, 38 - 42, all support. Chrome 11/45/46 support. Safari 5.1.7 support. Android 4.0-5.1 support, IOS 9.1 support.
It seem no need to modify the BR, CA need to update the PKI system to delete the DNS Name. Regards, Richard -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign....@lists.mozilla.org] On Behalf Of Richard Wang Sent: Wednesday, November 18, 2015 6:49 PM To: Peter Bowen <pzbo...@gmail.com> Cc: Rob Stradling <rob.stradl...@comodo.com>; mozilla-dev-security-pol...@lists.mozilla.org; Peter Gutmann <pgut...@cs.auckland.ac.nz> Subject: RE: [FORGED] Name issues in public certificates We tested IE11, Firefox 42, Chrome 45 on Windows 10, all support IP address only now. So we need to test the old version browsers. I will update soon. Regards, Richard -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign....@lists.mozilla.org] On Behalf Of Richard Wang Sent: Wednesday, November 18, 2015 10:41 AM To: Peter Bowen <pzbo...@gmail.com> Cc: Rob Stradling <rob.stradl...@comodo.com>; mozilla-dev-security-pol...@lists.mozilla.org; Peter Gutmann <pgut...@cs.auckland.ac.nz> Subject: RE: [FORGED] Name issues in public certificates Yes, all Client certificates are removed, thanks. So WoSign only left IP address issue that we added both IP address and DNS Name since some browser have warning for IP address only in SAN. Best Regards, Richard -----Original Message----- From: Peter Bowen [mailto:pzbo...@gmail.com] Sent: Wednesday, November 18, 2015 10:28 AM To: Richard Wang <rich...@wosign.com> Cc: Rob Stradling <rob.stradl...@comodo.com>; mozilla-dev-security-pol...@lists.mozilla.org; Peter Gutmann <pgut...@cs.auckland.ac.nz> Subject: Re: [FORGED] Name issues in public certificates Richard, Please check the updated file I posted. My check to exclude certain certificates was broken in the first pass but the revised version properly excludes them. The content is still at https://docs.google.com/spreadsheets/d/1lJt-1tkgKcbw5woEr4-tcpqB-M-HKwjFNSdX2jla2EU/edit?usp=sharing, but has been updated. Thanks, Peter On Tue, Nov 17, 2015 at 6:07 PM, Richard Wang <rich...@wosign.com> wrote: > I checked your list that the excel list number are: 6653 -- 6662, > 29830 -- 29841, 30434 -- 30437, they are all Client certificates > without serverAuth EKU, but listed, please check it, thanks. > > The attached certificate is No. 6653, please check its EKU, thanks. > > > Best Regards, > > Richard > > > -----Original Message----- > From: Peter Bowen [mailto:pzbo...@gmail.com] > Sent: Wednesday, November 18, 2015 12:33 AM > To: Richard Wang <rich...@wosign.com> > Cc: Rob Stradling <rob.stradl...@comodo.com>; Peter Gutmann > <pgut...@cs.auckland.ac.nz>; > mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: [FORGED] Name issues in public certificates > > On Tue, Nov 17, 2015 at 6:12 AM, Richard Wang <rich...@wosign.com> wrote: >> I also found some mistakes for the list: >> 1. I see some client certificate in the report that it say the email >> as common name is wrong; > > I filtered for certificates that includes the serverAuth EKU or do not > include any EKUs. Can you provide an example of a clientAuth > certificate that was incorrectly included? > >> 2. IP address is allowed by BR; > > IP addresses are only allowed in the commonName or as IPAddress type > in the SAN extension. If the rule is _ipv4_not_allowed_here, then > that means that an IP address was included in a SAN as a DNS Name, > which is disallowed. I will also fix the IP check to differentiate > between reserved IPs (as defined in the > BRs) and special purpose IPs (which are allowed if not reserved). The > BRs do not clearly state that 192.168.0.0/24, 172.16.0.0/12, and other > special purpose IPs are disallowed. > >> 3. IDN is allowed, but also in the report > > See my note to Rob; I'm fixing that. I misread RFC 5280 section 7.2. > > Thanks, > Peter > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
