Confirmed users, Administrators
5,526
edits
m (fixed email link) |
m (fixed typo) |
||
Line 39: | Line 39: | ||
* If multiple intermediate certificates with the same [https://tools.ietf.org/html/rfc5280#section-4.1.2.6 Subject] + [https://tools.ietf.org/html/rfc5280#section-4.1.2.7 SPKI] have been issued, each one must have their SHA-256 Fingerprint listed in appropriate audit statements according to the "Derived Trust Bits" field. | * If multiple intermediate certificates with the same [https://tools.ietf.org/html/rfc5280#section-4.1.2.6 Subject] + [https://tools.ietf.org/html/rfc5280#section-4.1.2.7 SPKI] have been issued, each one must have their SHA-256 Fingerprint listed in appropriate audit statements according to the "Derived Trust Bits" field. | ||
* [https://groups.google.com/d/msg/mozilla.dev.security.policy/89iF_4Ovpwg/YsC8CQ43DwAJ Cross-Certificates] are also considered intermediate certificates, which must also be audited and specifically listed in the applicable audit statements according to the "Derived Trust Bits" field. | * [https://groups.google.com/d/msg/mozilla.dev.security.policy/89iF_4Ovpwg/YsC8CQ43DwAJ Cross-Certificates] are also considered intermediate certificates, which must also be audited and specifically listed in the applicable audit statements according to the "Derived Trust Bits" field. | ||
* Self-signed certificates that share a [https://tools.ietf.org/html/rfc5280#section-4.1.2.6 Subject] and [https://tools.ietf.org/html/rfc5280#section-4.1.2.7 SPKI] | * Self-signed certificates that share a [https://tools.ietf.org/html/rfc5280#section-4.1.2.6 Subject] and [https://tools.ietf.org/html/rfc5280#section-4.1.2.7 SPKI] with a root certificate that is included in a root store are treated by browsers as intermediate certificates, so must also be listed in the applicable audit statements according to the "Derived Trust Bits" field. | ||
'''Acceptable remediation''' for an intermediate certificate missing BR audits may include one or more of the following: | '''Acceptable remediation''' for an intermediate certificate missing BR audits may include one or more of the following: |