Re: Intermediate certificate disclosure deadline in 2 weeks

Tue, 21 Jun 2016 08:27:32 -0700 

On 21/06/16 15:55, Ben Wilson wrote:

Rob,


Ben, thanks for passing on the details.  My analysis is below...


So far they are -

https://crt.sh/?sha1=e12ba5aeb7613a72cc9652f1673017a5d8fc7479
  - technically constrained  warning

https://crt.sh/?sha1=8c6c7a20b48ef3bcb0fcb203008773846611486a
  - technically constrained  warning

https://crt.sh/?sha1=69bdbd7760f0fc58021c290c39243351914dadc5
  - technically constrained  warning

https://crt.sh/?sha1=107cce8b25af9b6cfabada125967aed4ef5bafe2
  - technically constrained  warning


Section 9 of the Inclusion Policy [1] says:
  "For a certificate to be considered technically constrained
   ...
   The subordinate CA certificate MUST also include within
   excludedSubtrees an iPAddress GeneralName of 32 zero octets
   (covering the IPv6 address range of ::0/0)."


These four intermediate certs only exclude the IPv4 address space, so I 
would say that they don't qualify as "technically constrained". 
Therefore, they need to be disclosed to Salesforce.



Kathleen, if you agree that Salesforce should not be showing the 
"technically constrained warning" for these four intermediates, please 
could you ask your Salesforce consultant to fix it?



https://crt.sh/?sha1=d92b8d4859538692e435ad78dd876b03601eae96
  - PEM too long

https://crt.sh/?sha1=3948a71e4b39768a016fa3b13175e41197f8bf28
  - PEM too long


Kathleen, what's the size limit?  Can it be increased?


And then the ones that aren't trusted, or shouldn't be trusted, were all of
the KBC Group CAs, because certificate that issued those (SHA-1 Fingerprint
CF:AA:D9:D6:31:4D:33:9F:A6:07:72:EB:61:FA:B5:F8:FD:DC:56:10; SHA-256
Fingerprint
AE:F2:6B:BB:CB:B7:07:06:76:2C:8B:E9:30:C4:1F:91:3D:D0:E2:34:0A:78:9E:8B:33:F
1:27:FB:6D:27:92:F0) was revoked on 1 July 2015.  (I don't know why NSS
can't just use the CRLs that CAs issue.)  I hadn't entered it previously
into SalesForce or in OneCRL because the  revocation had  happened so long
ago, but yesterday I went and did  that.



Revocation of a "parent intermediate" does not exempt "child 
intermediates" from the disclosure requirement, AFAICT.  So I think the 
KBC Group CAs do need to be disclosed to Salesforce.




[1] 
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/


--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


























					Reply via email to