On Tuesday, 31 January 2017 09:27:30 CET Peter Bowen wrote: > On Tue, Jan 31, 2017 at 5:50 AM, Hubert Kario <hka...@redhat.com> wrote: > > On Monday, 30 January 2017 23:48:51 CET Peter Bowen wrote: > >> See notes inline about known cities with numbers in their name. > >> > >> On Mon, Jan 30, 2017 at 10:39 AM, Peter Bowen <pzbo...@gmail.com> wrote: > >> > While it is very hard to validate the subject content of certificates > >> > outside of DNS names, there are a number of heuristics that may be > >> > useful to trigger a deeper check to ensure that the data is accurate. > >> > > >> > A couple of these that I've found useful are: > >> > > >> > 1) If stateOrProvince or Locality type attributes contain a Number, > >> > this is a red flag. I've yet to find any verified legitimate case > >> > where this is correct > >> > >> Of course I hit send and then find a least one valid cases of a number: > >> > >> In Egypt (EG) there is a city called "6th of October". > >> > >> In the Czech Republic (CZ), ISO lists some subdivisions as having > >> numbers (https://www.iso.org/obp/ui/#iso:code:3166:CZ). Wikipedia > >> seems to suggest that these might not be current > >> (https://en.wikipedia.org/wiki/Regions_of_the_Czech_Republic), but I > >> think it should be considered reasonable for a CA to rely upon ISO > >> 3166. > > > > No, they still exist: > > https://en.wikipedia.org/wiki/Prague_1 > > http://www.praha1.cz/cps/index.html > > (note the address at the bottom of the page) > > Is the number part of the name of the stateOrProvince or is it a > postalCode? I know in Dublin there were numbered "postal districts" > prior to the implementation of Eircode, but the city and county are > both "Dublin" not "Dublin 8" or such.
it is used as the name of city, so the following: Úřad městské části Praha 1 | Vodičkova 18, 115 68 Praha 1 is parsed as: Company: Úřad městské části Praha 1 Street: Vodičkova Building no: 18 Postal Code: 115 68 City: Praha 1 (implied) Country: Czech Republic > > Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic > > Am I parsing this correctly as follows? > > Company: Red Hat Czech s.r.o. > Street Address: Purkyňova 99/71 > Postal Code: 612 45 > City: Brno > Country: Czech Republic yes > Does this imply that addresses in the Czech Republic do not use a > state or province? yes, it's not used for postal addresses or legal documents, but if there's a field in form for it, it likely would be filled, so it being present in a X509 cert would not be surprising... that being said, for "Praha 1", the stateOrProvince would be "Praha" or "Hlavní město Praha" Speaking of uncommon locality names, in Budapest the districts use Roman numerals for names: https://en.wikipedia.org/wiki/Budapest#Districts -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
