WingNews logo WingNews
top | item 47056438

(no title)

agwa | 11 days ago

It doesn't comply with one or more root store policies (which all incorporate the Baseline Requirements by reference, which incorporate various specs, such as RFC5280, by reference).

Mozilla root store policy: https://www.mozilla.org/en-US/about/governance/policies/secu...

Chrome root store policy: https://googlechrome.github.io/chromerootprogram/

Apple root store policy: https://www.apple.com/certificateauthority/ca_program.html

Baseline Requirements: https://github.com/cabforum/servercert/blob/main/docs/BR.md

There are countless examples of non-compliant certificates documented in the Bugzilla component I linked above. A recent example: a certificate which was backdated by more than 48 hours, in violation of section 7.1.2.7 of the Baseline Requirements: https://bugzilla.mozilla.org/show_bug.cgi?id=2016672

discuss

order

jacquesm|11 days ago

Something is badly borked when the protections against an imaginary problem cause a real problem.

disruptiveink|11 days ago

Baseline requirements are not an imaginary problem. All of them have a legitimate reason for existing. You could argue that some "are not that big of a deal", but that's exactly the point, the overbearing and overly specific requirements serve both their own purpose and double as Van Halen's "no brown M&Ms" clause: if the CA screws them up, either by malice or incompetence and doesn't immediately catch them and self-report, then you know they have no way of telling what other things they are screwing up. And if you're in the business of selling trust, that instantly makes you untrustworthy.

There are countless Bugzilla reports of clearly unprofessional CAs trying to get away with doing whatever they want, get caught, say "it's no big deal", fail to learn the lesson and eventually get kicked out, much to the chagrin and bewilderment of their management, irate that some nerds on the Internet could ruin their business, failing to understand that following the scripture of the Internet nerds is the #1 requirement of the business they chose to run.