Hi, Doing some analysis on the AIA CA Issuer field I checked the content types the certificates are served. These are the AIA issuer fields in the top 10000 from the alexa list, so this is incomplete.
According to RFCs application/pkix-cert is the only correct content-type. However the majority serve application/x-x509-ca-cert. According to this [1] documentation this is an old Netscape thing and doesn't seem to be part of any standard. Several certificates have mime types that look plain wrong. text/html: http://swisssign.net/cgi-bin/authority/download/E7F1E7FD2E53AD11E5811A57A4738F127D98C8AE http://swisssign.net/cgi-bin/authority/download/EEFD46CAF7275E91BC5AB6E787CD0AFA550A2642 http://certificates.godaddy.com/repository/gdig2.crt.der application/octet-stream: http://www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%201.crt http://www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%202.crt http://www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%204.crt http://www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%205.crt Some have no content-type: http://certificates.godaddy.com/repository/gdig2.crt http://certificates.starfieldtech.com/repository/sfig2.crt http://www.camerfirma.com/certs/camerfirma_cserverii-2015.crt http://www.izenpe.com/contenidos/informacion/cas_izenpe/es_cas/adjuntos/SSLEV_cert_sha256.crt http://www.izenpe.eus/contenidos/informacion/cas_izenpe/es_cas/adjuntos/AAPPNR_cert_sha256.crt One more case looks like it's not a certificate at all, I'll check that individually and will come back with a report later. I'm not going to file individual reports for the CAs. Based on previous threads I don't believe these are strictly speaking rule violations. However I still recommend that CAs reading this check their own intermediates and make sure they are served as application/pkix-cert. [1] https://pki-tutorial.readthedocs.io/en/latest/mime.html -- Hanno Böck https://hboeck.de/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy