On Tuesday, May 10, 2016 at 8:30:45 AM UTC-7, Erwann Abalea wrote: > Bonjour, > > Le mardi 10 mai 2016 10:10:49 UTC+2, Kurt Roeckx a écrit : > > On 2016-05-10 02:07, Kathleen Wilson wrote: > > > Thanks to all of you who have reviewed and commented on this request from > > > DocuSign to include the following root certificates, turn on the Websites > > > and Email trust bits for all of them, and enable EV treatment for all of > > > them. > > > + Certplus Root CA G1 - (SHA512, RSA4096) > > > + Certplus Root CA G2 - (SHA384, ECC) > > > + OpenTrust Root CA G1 - (SHA256, RSA4096) > > > + OpenTrust Root CA G2 - (SHA512, RSA4096) > > > + OpenTrust Root CA G3 - (SHA384, ECC) > > > > I'm only finding 1 certificate during the last week, and it has a > > problem with the encoding: > > https://crt.sh/?id=18733629&opt=x509lint > > > > It's using a PrintableString with "Hautes-Pyrénées" in it, which is > > clearly wrong. A PrintableString has a very limited amount of valid > > characters. All their strings are PrintableStrings. They should > > probably switch most of those to UTF8String. > > It's clearly wrong, yes, and we're checking and changing legacy > configuration files to UTF8String (except specific attributes such > as countryName or domainComponent). This will be done before 30/06/2016.
Kurt, Thank you for checking. As Nick pointed out, DocuSign did notify us that they have this problem and intend to resolve this by June 30, 2016. Reference: https://wiki.mozilla.org/index.html#March_2016_Responses I propose that we move forward with the inclusion process in parallel, since the inclusion process takes longer than that, so we will be able to confirm the change before the new roots are included in a release version of Firefox. There will be two action items that I will need to track for the CA: 1) Update CPS 2) Update cert issuance process to prevent use of PrintableString, and enforce use of UTF8String instead. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy