Peter Bowen recently created a certlint tool [1] to check certificates for CA/Browser Forum Baseline Requirements compliance. Thanks Peter!
Using this tool we uncovered a number of Let's Encrypt certificates that are not compliant with RFC 5280. There were two issues: 1) Let's Encrypt was not properly disallowing the "-" character at the ends of DNS labels (RFC 1035, page 8 [2], as required by RFC 5280, page 36 [3]). 2) Let's Encrypt was allowing CN (Common Name) fields to contain domain names longer than 64 characters (RFC 5280, page 124 [4]). Both of these issues [5][6] have been fixed in production. The following certificates were revoked today, February 29, 2016: https://crt.sh/?id=12335248 https://crt.sh/?id=12378897 https://crt.sh/?id=12797737 https://crt.sh/?id=12299007 https://crt.sh/?id=12797699 https://crt.sh/?id=12327960 https://crt.sh/?id=12764962 https://crt.sh/?id=11147774 https://crt.sh/?id=11972095 https://crt.sh/?id=13245009 https://crt.sh/?id=11591943 https://crt.sh/?id=12791738 https://crt.sh/?id=12185729 https://crt.sh/?id=11147736 https://crt.sh/?id=12797371 https://crt.sh/?id=13244963 https://crt.sh/?id=13074396 https://crt.sh/?id=11019269 https://crt.sh/?id=13242962 https://crt.sh/?id=12274856 https://crt.sh/?id=12297517 https://crt.sh/?id=12297536 [1] https://github.com/awslabs/certlint [2] https://tools.ietf.org/html/rfc1035#page-8 [3] https://tools.ietf.org/html/rfc5280#page-36 [4] https://tools.ietf.org/html/rfc5280#page-124 [5] https://github.com/letsencrypt/boulder/pull/1441 [6] https://github.com/letsencrypt/boulder/pull/1483 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy