Closed Bug 1029095 (mozilla::CA-tests) Opened 6 years ago Closed 4 years ago
Create Tool for testing CA compliance with Mozilla Policy, Baseline Requirements, and EV readiness
Please create a tool that can be used to check CA compliance with Mozilla's CA Certificate Policy, the Baseline Requirements, and EV readiness. This tool may have a web interface where anyone can enter an https url and get results listing which problems are noted. It would also be great if this tool could be used inside a script such as the compatibility testing script, so we can gather/publish(?) CA-specific metrics. Please include tests for the problems listed here: https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix
Also please add this check... https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/CeukR-11M5c\ "The CA/B baseline requirement say that all RSA keys that are used since since 1 january 2014 should have been at least 2048 bit. All shorter than 2048 should have either expired or been revoked by that date. But it's still not the case. We're currently around 0.24% of the certificates that are being seen on the internet that still are too short." And: https://groups.google.com/d/msg/mozilla.dev.security.policy/6cLaLCWbaM0/Ms9iu2xMkT8J * No Subject alternative name extension * Fails decoding the character set * Contains control characters * Certificate not version 3 * Long-lived certs (beyond what BRs allow) And check for the things listed here: https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Behavior_Changes
Additional examples of things this tool could check for: https://groups.google.com/d/msg/mozilla.dev.security.policy/2G6KuAT9Ekk/3m95WoClf4sJ https://groups.google.com/d/msg/mozilla.dev.security.policy/cNgy1_rkv6A/r53wxa5qZHkJ
Depends on: 1067452
Depends on: 1160252
Richard created a document listing the BRs that can be programatically checked: https://docs.google.com/spreadsheets/d/1nonxa1UbwnMXNCFyJRmiUNZ_tWyLz4eoGFsHSEEdpe0/edit#gid=0
Please also test for certs with serial numbers longer than 20 octets. As noted in Bug #1139205, RFC 5280 says that implementations must be able to handle values up to 20 octets, so we should not allow roots in our program that have serial numbers longer than that.
This seems to be largely the same as bug 927184, but feel free to reopen if something more is needed here.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 927184
You need to log in before you can comment on or make changes to this bug.