Bonsoir, Le jeudi 18 février 2016 22:42:17 UTC+1, Erwann Abalea a écrit : [...] > > These certificates chain to the 'Certplus Class 2' root and contain a > > trailing space in one of their dNSName SANs: > > > > notBefore in 2016: > > https://crt.sh/?id=12994171&opt=cablint > > notBefore in 2015: > > https://crt.sh/?id=10643272&opt=cablint > > https://crt.sh/?id=9651778&opt=cablint > > Thank you for the information, we will investigate the events chains that > came to the production of these certificates. > On first analysis, it seems it's a human error during a copy/paste operation, > and a clarification of the procedures is necessary. > > The self-audit tool we use for our quarterly self-audits will also be > extended to detect that kind of defect.
I forgot an update on this case. First-hand analysis was right, it was cut/paste errors. The rules were repeated to our customer service and to our customers acting as RAs. Parallel to that, we're currently modifying the configuration of what is exposed to our customers and to the customer service, to check that what is declared as an FQDN is correctly formed (only valid characters plus an optional star as leftmost label, valid total length, valid labels lengths). And the self-audit tool is being modified to detect that kind of defect. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy