[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
Chris Palmer
snackypants at gmail.com
Wed Sep 7 21:31:14 PDT 2011
>> So if it's "totally broken", why don't you and Kathleen add "OCSP Responders
>> MUST NOT report 'good' if the certificate is not known to have been issued" to
>> the Mozilla CA Certificate Policy?
>
> Noted :-)
Why stop there? The Observatory is a gold mine of Obvious Problem
Indicators. CAs that sign certs with non-fully-qualified or invalid or
nonsense hostnames as their CNs, 0s in the high-order bits of keys,
CAs with fake country codes in their DNs ("WW"), CAs that signed the
weak Debian keys well after that problem was known, ...
I understand that normal validation is not EV, but a lot of these
problems could be weeded out of incoming CSRs with a shell script. I
think it's fair to expect all CAs, even non-EV ones, to be at least as
perspicacious as a shell script.
Perhaps we should write that script, and have it be part of the standard.
More information about the Observatory
mailing list