Congratulations on finding something not caught by certlint. It turns out that cabtlint does zero checks for reserved IPs. Something else for my TODO list.
On Sat, Aug 12, 2017 at 6:52 PM, Jonathan Rudenberg via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > Baseline Requirements section 7.1.4.2.1 prohibits ipAddress SANs from > containing IANA reserved IP addresses and any certificates containing them > should have been revoked by 2016-10-01. > > There are seven unexpired unrevoked certificates that are known to CT and > trusted by NSS containing reserved IP addresses. > > The full list can be found at: https://misissued.com/batch/7/ > > DigiCert > TI Trust Technologies Global CA (5) > Cybertrust Japan Public CA G2 (1) > > PROCERT > PSCProcert (1) > > It’s also worth noting that three of the "TI Trust Technologies” certificates > contain dnsNames with internal names, which are prohibited under the same BR > section. > > Jonathan > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy