Re: NEW Certificate Manager Add-on

2016-02-12 Thread David E. Ross
On 2/12/2016 1:34 PM, Kathleen Wilson wrote: > Thanks to a group of students at Rose-Hulman Institute of Technology for > creating a Certificate Manager Add-on for their senior project! > > I've been using it for a couple months now, and I like it much better > than the old Certificate Manager t

NEW Certificate Manager Add-on

2016-02-12 Thread Kathleen Wilson
Thanks to a group of students at Rose-Hulman Institute of Technology for creating a Certificate Manager Add-on for their senior project! I've been using it for a couple months now, and I like it much better than the old Certificate Manager that ships with Firefox. https://addons.mozilla.org/e

Re: A-Trust Root Renewal Request

2016-02-12 Thread Charles Reiss
On 02/12/16 14:26, Christoph Klein wrote: > Dear All! > > Thank you for contributing in our discussion and illustrate some > existing problems with our certificates. I would like to address the > stated points seperatley. [snip] > * 20 Bits of Entropy: the Serialnumber included in the Subject of o

Re: New requirement: certlint testing

2016-02-12 Thread David Keeler
On 02/11/2016 08:15 AM, Rob Stradling wrote: > https://cert-checker.allizom.org/ can already accept and "run certlint" > on a user-submitted certificate. Could a "run cablint" button be added > too? The way it's implemented, "run certlint" actually runs cablint, which as I understand it is a supe

Re: A-Trust Root Renewal Request

2016-02-12 Thread Christoph Klein
Dear All! Thank you for contributing in our discussion and illustrate some existing problems with our certificates. I would like to address the stated points seperatley. * Wrong CNs in Subject (1, True, BSB-oenb): This was an issue that arose with the switch to SHA-256 certificates in combinat

RE: New requirement: certlint testing

2016-02-12 Thread Medin, Steven
There's no requestor control of validityNotBefore for an offline CA signing event, and certainly none with an online CA since the Playstation attack. There's limited control of toBeSigned: CAs will grab the asserted subject DN, public key, and toss the decorations in the PKCS#10 away. They'll amen

Re: New requirement: certlint testing

2016-02-12 Thread rafamdn
> That sounds reasonable to me, so I updated the wiki page... > > https://wiki.mozilla.org/CA:Information_checklist#Technical_information_about_each_root_certificate > "" 15. Test!!! > > - The CA MUST check that they are not issuing certificates that violate > any of the CA/Browser Forum Ba