FWIW - In the case of Telecom Italia, they have a commercial CA product has a bug in it that occasionally causes this issue. They may need some time for the software to be fixed/replaced.
-----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+ben=digicert....@lists.mozilla.org] On Behalf Of Matthew Hardeman via dev-security-policy Sent: Monday, August 7, 2017 9:52 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Certificates with invalidly long serial numbers It is what it is, I'm sure, but that definition in RFC5280 is rather tortured and leads to ambiguity as to whether or not the leading 0x00 is. In fact, I would say that it is not part of the integer value but rather an explicit sign flag required by the encoding mechanism. Wouldn't it have been easier just to say that despite what the ASN.1 INTEGER type says, serial number shall be regarded as an explicitly unsigned integer of up to 20 bytes length, to be represented as a positive integral value? Pragmatically, does anything known break on the extra byte there? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy