See notes inline about known cities with numbers in their name. On Mon, Jan 30, 2017 at 10:39 AM, Peter Bowen <pzbo...@gmail.com> wrote: > While it is very hard to validate the subject content of certificates > outside of DNS names, there are a number of heuristics that may be > useful to trigger a deeper check to ensure that the data is accurate. > > A couple of these that I've found useful are: > > 1) If stateOrProvince or Locality type attributes contain a Number, > this is a red flag. I've yet to find any verified legitimate case > where this is correct
Of course I hit send and then find a least one valid cases of a number: In Egypt (EG) there is a city called "6th of October". In the Czech Republic (CZ), ISO lists some subdivisions as having numbers (https://www.iso.org/obp/ui/#iso:code:3166:CZ). Wikipedia seems to suggest that these might not be current (https://en.wikipedia.org/wiki/Regions_of_the_Czech_Republic), but I think it should be considered reasonable for a CA to rely upon ISO 3166. > 2) If any attribute, other than those of type postalCode or > organizationalUnit, contains only a single character, this is also red > flag. There could be valid cases, but they appear to be rare based on > public data. > > I'm not adding these to cablint, as they are heuristics and there may > be valid cases, but it is something all CAs should consider checking. > > Thanks, > Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy