Thanks Mr Erwann Abalea to bring this to our (my) attention. As the A-trust EV audit report do not include any CA in scope and only states "for its Certification Authority (CA) operations at Vienna"... Should we consider this audit includes all roots and subordinates?
I can not find any EV certificate issued by a-sign-SSL-EV-05 during the audit period, but I am afraid this is a common practice due all certificates contains the same businessCategory text and because I found EV certificates issued by "a-sign-SSL-EV-03" from other A-trust hierarchy (Sorry for including other A-trust hierarchy in this public discussion but it's just to illustrate my comment) that also includes the same businessCategory text issued during the audit period report. Examples: https://www.a-trust.at/DesktopModules/LdapSuche/Download.aspx?type=downloadCert&cert=1468071 https://www.a-trust.at/DesktopModules/LdapSuche/Download.aspx?type=downloadCert&cert=1352665 As I comment in last post, the permitted text on the businessCategory changed on EV Guidelines 1.3 (2010). How auditors could not detect this basic issue? And A-trust, why your internal procedures fail to align the EV profile for 5 years? Best J El martes, 9 de febrero de 2016, 13:24:29 (UTC+1), Erwann Abalea escribió: > Bonjour, > > Le mardi 9 février 2016 10:47:16 UTC+1, Jesus F a écrit : > > Dear all, > > > > As A-Trust request EV treatment, I checked the EV issued certificates from > > a-sign-SSL-EV-05 subordinate in ctr.sh > > (https://crt.sh/?Identity=%25&iCAID=6096) > > > > ALL of them states in businessCategory the following text "V1.0, Clause > > 5.(X)". This text is similar to what permitted by EV guidelines version 1.2 > > and prior, although "X" should have been "b", "c", "d" or "e" depending > > upon whether the Subject qualifies in the permitted categories. This text > > is not permitted since EV guidelines version 1.3 published in 2010. > > > > As the EV audit conducted by E&Y states A-trust is in compliance with > > "WebTrust Principles and Criteria for Certification Authorities - Extended > > Validation SSL - Version 1.4.5" that is based on CA/Browser Forum > > Guidelines for the Issuance and Management of Extended Validation SSL > > Certificates - Version 1.4.5 and it's obvious that the auditor failed to > > detect this very basic issue, can we, the Mozilla Community, be reasonably > > assured of any of the auditor's necessary checks? > > > > In addition there are several more issues in this certificates: > > > > - rfc822Name in SAN (https://crt.sh/?id=8889537&opt=cablint, > > https://crt.sh/?id=8889537&opt=cablint) > > - FATAL: ASN.1 Error in EmailAddress > > (https://crt.sh/?id=12491213&opt=cablint, > > https://crt.sh/?id=9410992&opt=cablint) > > - This cert has the following errors: Cert without subject alternative > > names extension, Cert of 1024 bits (https://crt.sh/?id=8935972&opt=cablint) > > Without saying that the audit was perfect, but all the presented evidences > here have been produced after the audit was performed. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
