On Fri, Jul 20, 2018 at 6:39 PM Daymion Reynolds via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> The certificates were identified by analyzing results from both zlint and > certlint. We also verified all lint findings against current and past BRs. > We discovered multiple defects with the linters, and submitted pull > requests to correct them. See below. > > CertLint PRs to correct issues: > > In Progress, will publish if requested. > Yes, I would very much like to have either PRs or just a list of issues. > | e_dnsname_not_valid_tld, | > | > |e_subject_common_name_not_from_san, | > | > |e_dnsname_bad_character_in_label |4 > |*7/5/18 11:48 | > > ------------------------------------------------------------------------------------------------------------------------------------------------ > | e_subject_common_name_not_from_san, | | > | > |e_dnsname_bad_character_in_label |28 > |*7/9/18 21:12 | > > ------------------------------------------------------------------------------------------------------------------------------------------------ > *Total of 17 certificates issued in 2018 were revoked due to invalid > extended ascii characters. CertLint was not catching these issues, which > would have prevented issuance. We have since remediated these problems, and > are adding zLint to our certificate issuance process as a second check. > Issued in 2018 certificate serial numbers 4329668077199547083, > 8815069853166416488, 8835430332440327484, 13229652153750393997, > 12375089233389451640, 11484792606267277228, 11919098489171585007, > 9486648889515633287, 14583473664717830410, 7612308405142602244, > 4011153125742917275, 6919066797946454186, 15449193186990222652, > 14380872970193550115, 1792501994142248245, 12601193235728728125, > 10465762057746987360 > Cert.sh was unavailable when this was crafted else I would provide links > to the 4 certs which were CT logged. https://crt.sh/?id=294808610&opt=zlint,cablint is one of the certificates. It is not clear to me that there is an error here. The DNS names in the SAN are correctly encoded and the Common Name in the subject has one of the names found in the SAN. The Common Name contains a DNS name that is the U-label form of one of the SAN entries. It is currently undefined if this is acceptable or unacceptable for certificates covered by the BRs. I put a CA/Browser Forum ballot forward a while ago to try to clarify it was not acceptable, but it did not pass as several CAs felt it was not only acceptable but is needed and desirable. If Mozilla (or another browser) puts forward a policy on this, I'm happy to update certlint to reflect the poicy. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
