On Fri, May 22, 2020 at 5:12 AM Kurt Roeckx via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On Fri, May 22, 2020 at 10:38:34AM +0200, Hanno Böck via > dev-security-policy wrote: > > Just reported this to Chunghwa Telecom Co., Ltd.: > > > > ---------- > > > > I'm contacting you about a problem with the certificate for > > *.hinet.net, as it can be found here [1]. > > > > The Authority Information Access / CA Issuers field points to: > > http://repository.publicca.hinet.net/certs/IssuedToThisCA.p7b > > > > According to RFC 5280 this must be a DER-encoded certificate. See also > > recent discussion on the Mozilla policy list [2]. > > However this does not look like a different certificate encoding (PKCS > > #7 binary). > > > > Please make sure you serve a correct, DER-encoded intermediate via the > > AIA field. > > It does say: > or a > collection of certificates in a BER or DER encoded "certs-only" CMS > message as specified in [RFC2797]. > > And it's currently not clear to me if that PKCS #7 file is such a > file or not. CMS (RFC 2797) is based on PKCS#7. A “certs-only” CMS message will be a valid PKCS#7 message, and similarly, a PKCS#7 message can be a valid “certs-only” CMS message. Provided it is served in binary form, it’s unclear that there is an issue here. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy