Misissued certificates - pathLenConstraint with CA:FALSE

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Misissued certificates - pathLenConstraint with CA:FALSE

Alex Gaynor
Hi,

The following certificates appear to be misissued:

https://crt.sh/?id=77893170&opt=cablint
https://crt.sh/?id=77947625&opt=cablint
https://crt.sh/?id=78102129&opt=cablint
https://crt.sh/?id=92235995&opt=cablint
https://crt.sh/?id=92235998&opt=cablint

All of these certificates have a pathLenConstraint value with CA:FALSE,
this violates 4.2.1.9 of RFC 5280: CAs MUST NOT include the
pathLenConstraint field unless the cA boolean is asserted and the key usage
extension asserts the keyCertSign bit.

Alex

--
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: D1B3 ADC0 E023 8CA6
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security