Re: Reuse of serial numbers by StartCom

Thu, 01 Sep 2016 07:35:44 -0700 

The ballot on this started today

> On Sep 1, 2016, at 7:21 AM, Kurt Roeckx <k...@roeckx.be> wrote:
> 
>> On 2016-09-01 14:21, Matt Palmer wrote:
>>> On Thu, Sep 01, 2016 at 10:53:36AM +0300, Eddy Nigg wrote:
>>>> On 09/01/2016 04:20 AM, Matt Palmer wrote:
>>>> You were knowingly violating a MUST provision of RFC5280.
>>> 
>>> From experience there have been many RFC violations, sometimes even
>>> knowingly and intentionally by software vendors (browsers), certificate
>>> authorities and even policy writers such as CAB Forum.
>> 
>> "They did it too" is not a persuasive argument coming from my
>> four-year-olds.  It is no more persuasive coming from a Certification
>> Authority.
>> 
>> In the interests of the community being fully informed of StartCom's
>> compliance with the standards which underlie the integrity of the web PKI,
>> I'll ask the question again: what *other* MUST provisions of RFC5280, the
>> CA/B Forum BRs, and other relevant specifications and guidance relevant to
>> the operation of a Certification Authority present in the Mozilla trust
>> store, is StartCom currently not in compliance with?  Have your auditors
>> proactively been made aware of these deficiencies?
> 
> I can actually give an example of that.  If the certificate is 
> individual-validated, they have a givenName, surname, localityName and 
> stateOrProvinceName, but no organizationName.  This is actually a violation 
> of the BR requirements.  The BR requirements says that it should either also 
> have an organizationName, or the localityName and stateOrProvinceName should 
> be removed.  So one option is to replace the givenName and surname by an 
> organizationName.  But I think this is just a case where the BRs are wrong 
> and should get fixed.  There has at least been some discussion about that, 
> but the change still isn't approved.
> 
> 
> Kurt
> 
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to