On 2017-03-09 02:08, Ryan Sleevi wrote:
It appears that DigiCert has violated the Baseline Requirements, as recently
notified to the CA/Browser Forum.
The certificate at https://crt.sh/?id=98120546 does not comply with RFC 5280.
RFC 5280 defines the upper-bound of the commonName field as 64 characters,
specifically
ub-common-name INTEGER ::= 64
-- Naming attributes of type X520CommonName:
-- X520CommonName ::= DirectoryName (SIZE (1..ub-common-name))
--
-- Expanded to avoid parameterized type:
X520CommonName ::= CHOICE {
teletexString TeletexString (SIZE (1..ub-common-name)),
printableString PrintableString (SIZE (1..ub-common-name)),
universalString UniversalString (SIZE (1..ub-common-name)),
utf8String UTF8String (SIZE (1..ub-common-name)),
bmpString BMPString (SIZE (1..ub-common-name)) }
The commonName encoded in this certificate is 67 characters
Digicert also has many certificates were the organizationName is too
long. An example: https://crt.sh/?id=100279600. See
https://crt.sh/?x509lint=363 for a list of recent ones.
RFC5280 has:
-- Naming attributes of type X520OrganizationName
id-at-organizationName AttributeType ::= { id-at 10 }
-- Naming attributes of type X520OrganizationName:
-- X520OrganizationName ::=
-- DirectoryName (SIZE (1..ub-organization-name))
--
-- Expanded to avoid parameterized type:
X520OrganizationName ::= CHOICE {
teletexString TeletexString
(SIZE (1..ub-organization-name)),
printableString PrintableString
(SIZE (1..ub-organization-name)),
universalString UniversalString
(SIZE (1..ub-organization-name)),
utf8String UTF8String
(SIZE (1..ub-organization-name)),
bmpString BMPString
(SIZE (1..ub-organization-name)) }
ub-organization-name INTEGER ::= 64
It would be nice that they fixed this. But this is lower on my priority
list then some of the others at https://crt.sh/?cablint=issues.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
