CA/Audit Letter Validation: Difference between revisions

Jump to navigation Jump to search

CA/Audit Letter Validation (view source)

Revision as of 19:43, 6 January 2020

237 bytes added ,  6 January 2020
m
added clarification
m (fixed typo)
m (added clarification)
Line 39: Line 39:
* If multiple intermediate certificates with the same [https://tools.ietf.org/html/rfc5280#section-4.1.2.6 Subject] + [https://tools.ietf.org/html/rfc5280#section-4.1.2.7 SPKI] have been issued, each one must have their SHA-256 Fingerprint listed in appropriate audit statements according to the "Derived Trust Bits" field.
* If multiple intermediate certificates with the same [https://tools.ietf.org/html/rfc5280#section-4.1.2.6 Subject] + [https://tools.ietf.org/html/rfc5280#section-4.1.2.7 SPKI] have been issued, each one must have their SHA-256 Fingerprint listed in appropriate audit statements according to the "Derived Trust Bits" field.
* [https://groups.google.com/d/msg/mozilla.dev.security.policy/89iF_4Ovpwg/YsC8CQ43DwAJ Cross-Certificates] are also considered intermediate certificates, which must also be audited and specifically listed in the applicable audit statements according to the "Derived Trust Bits" field.
* [https://groups.google.com/d/msg/mozilla.dev.security.policy/89iF_4Ovpwg/YsC8CQ43DwAJ Cross-Certificates] are also considered intermediate certificates, which must also be audited and specifically listed in the applicable audit statements according to the "Derived Trust Bits" field.
* Self-signed certificates that share a [https://tools.ietf.org/html/rfc5280#section-4.1.2.6 Subject] and [https://tools.ietf.org/html/rfc5280#section-4.1.2.7 SPKI] with a root certificate that is included in a root store are treated by browsers as intermediate certificates, so must also be listed in the applicable audit statements according to the "Derived Trust Bits" field.
* Self-signed certificates that share a [https://tools.ietf.org/html/rfc5280#section-4.1.2.6 Subject] and [https://tools.ietf.org/html/rfc5280#section-4.1.2.7 SPKI] with a root certificate that is included in a root store are treated by browsers as intermediates because they chain up to an included root, so these certificates must also be listed in the applicable audit statements according to the "Derived Trust Bits" field. An example of this situation is when an older version of a root certificate exists but a newer version of the root certificate was created in order to be included in Mozilla's root store.


'''Acceptable remediation''' for an intermediate certificate missing BR audits may include one or more of the following:
'''Acceptable remediation''' for an intermediate certificate missing BR audits may include one or more of the following:
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://dev.wikimo.nonprod.webservices.mozgcp.net/Special:MobileDiff/1221917"

Navigation menu