Re: Non-DER certificate (PKCS #7) in CA Issuers AIA field
On Fri, May 22, 2020 at 5:12 AM Kurt Roeckx via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Fri, May 22, 2020 at 10:38:34AM +0200, Hanno Böck via > dev-security-policy wrote: > > Just reported this to Chunghwa Telecom Co., Ltd.: > > > > -- > > > > I'm contacting you about a problem with the certificate for > > *.hinet.net, as it can be found here [1]. > > > > The Authority Information Access / CA Issuers field points to: > > http://repository.publicca.hinet.net/certs/IssuedToThisCA.p7b > > > > According to RFC 5280 this must be a DER-encoded certificate. See also > > recent discussion on the Mozilla policy list [2]. > > However this does not look like a different certificate encoding (PKCS > > #7 binary). > > > > Please make sure you serve a correct, DER-encoded intermediate via the > > AIA field. > > It does say: >or a >collection of certificates in a BER or DER encoded "certs-only" CMS >message as specified in [RFC2797]. > > And it's currently not clear to me if that PKCS #7 file is such a > file or not. CMS (RFC 2797) is based on PKCS#7. A “certs-only” CMS message will be a valid PKCS#7 message, and similarly, a PKCS#7 message can be a valid “certs-only” CMS message. Provided it is served in binary form, it’s unclear that there is an issue here. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Non-DER certificate (PKCS #7) in CA Issuers AIA field
On Fri, May 22, 2020 at 10:38:34AM +0200, Hanno Böck via dev-security-policy wrote: > Just reported this to Chunghwa Telecom Co., Ltd.: > > -- > > I'm contacting you about a problem with the certificate for > *.hinet.net, as it can be found here [1]. > > The Authority Information Access / CA Issuers field points to: > http://repository.publicca.hinet.net/certs/IssuedToThisCA.p7b > > According to RFC 5280 this must be a DER-encoded certificate. See also > recent discussion on the Mozilla policy list [2]. > However this does not look like a different certificate encoding (PKCS > #7 binary). > > Please make sure you serve a correct, DER-encoded intermediate via the > AIA field. It does say: or a collection of certificates in a BER or DER encoded "certs-only" CMS message as specified in [RFC2797]. And it's currently not clear to me if that PKCS #7 file is such a file or not. Kurt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Non-DER certificate (PKCS #7) in CA Issuers AIA field
Just reported this to Chunghwa Telecom Co., Ltd.: -- I'm contacting you about a problem with the certificate for *.hinet.net, as it can be found here [1]. The Authority Information Access / CA Issuers field points to: http://repository.publicca.hinet.net/certs/IssuedToThisCA.p7b According to RFC 5280 this must be a DER-encoded certificate. See also recent discussion on the Mozilla policy list [2]. However this does not look like a different certificate encoding (PKCS #7 binary). Please make sure you serve a correct, DER-encoded intermediate via the AIA field. [1] https://crt.sh/?id=206075223 [2] https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/g09ZgCRPVe0 -- Hanno Böck https://hboeck.de/ ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy