> - Microsec will review the CA software looking for possible similar problems > - deadline 2020-03-31
Microsec has completed a detailed review of the automatic controls built into the CA software. The review covered all SSL/TLS certificate types and focused on the presence of required fields in the Subject DN. Microsec first created a table with all possible Subject DN fields based on the current version of the CABF BR, EVG, and Microsec CPS documents. The following certification policies are included in the table: DVCP, IVCP, OVCP, EVCP/QWAC, EVCP/PSD2. Microsec has collected rules for each field and policy combination, which may include: mandatory forbidden optional For optional fields, Microsec also identified dependencies. After completing the complete list of requirements, Microsec reviewed the source code for the CA software. As a result of this review, Microsec determined that the scope of automated checks should be expanded for the IVCP profile, but they are complete for all other certificate profiles. Microsec has created a work item and has already begun to upgrade the CA program with additional controls. There is no specific deadline for completing the development, but Microsec plans to do the development and test the new software version by 2020-04-15. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy