On 10/08/2017 20:14, Matthew Hardeman wrote:
Similarly, the cert at https://crt.sh/?id=92235998 has SAN dnsName of
ev-valid.identrustssl.com
It has a normal 2 year validity period.
Which again sounds like a certificate administratively created to serve as a
test point certificate for the root programs.
To me, these two facts indicate that Identitrust was being extra careful
about security and having a security mechanism that forced setting
pathlen constraints on all manually issued certificates (to prevent
omitting it from SubCA certificates).
This security-improving precaution unfortunately ran against a formal
rule in the BRs, thus forcing this issue.
I would hope that they have at least kept their original precaution for
CA:TRUE certificates.
P.S.
Can anyone point out a real world X.509 framework that gets confused by
a redundant pathlen:0 in a CA:FALSE certificate? (Merely to assess the
seriousness of the issue, given that the certificate was already
revoked).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
