On Tue, Mar 31, 2020 at 4:46 PM Sándor dr. Szőke via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > > > > - Microsec will review the CA software looking for possible similar > > problems - deadline 2020-03-31 > > > Microsec has completed a detailed review of the automatic controls built into > the CA software. The review covered all SSL/TLS certificate types and focused > on the presence of required fields in the Subject DN. > > Microsec first created a table with all possible Subject DN fields based on > the current version of the CABF BR, EVG, and Microsec CPS documents. The > following certification policies are included in the table: DVCP, IVCP, OVCP, > EVCP/QWAC, EVCP/PSD2. Microsec has collected rules for each field and policy > combination, which may include: > mandatory > forbidden > optional
Do you plan to share the analysis? I think saying "We compiled X" isn't nearly as useful to the community as "We analyzed X, here's what we concluded, we're looking for feedback and/or sharing for wider review" This broadly fits into the picture of https://groups.google.com/d/msg/mozilla.dev.security.policy/oP8XuNXrANw/oIYt70IiAAAJ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy