Hi, I have been doing some checks on certificates with the AIA Issuers field. I already reported certificates with a 403 error on the HTTP url of the intermediate (see earlier mail).
Now there's more stuff to be found and I'm wondering: * Are there rules that CAs must adhere to in regards to referencing the intermediate in the AIA field? Does it need to be available? Does it need to be there at all? * It seems common practice and desired by RFCs to have the intermediate referenced in binary DER format and not PEM encoded. But some certificates do reference PEM encoded intermediates. Is this a violation of any rule and should this be reported as an incident? * RfC 5280 says certificates should be served as "application/pkix-cert". Is it a violation of any rule if they are not? (application/x-x509-ca-cert is common, no content type and completely bogus content types linke text/html also happen.) -- Hanno Böck https://hboeck.de/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy