在 2019年2月27日星期三 UTC+8下午11:28:00,[email protected]写道: > Hello, > > I noticed this certificate > https://crt.sh/?id=1231965201&opt=cablint,x509lint,zlint that has an invalid > domain `mail.xinhua08.con` in SANs. This looks like a typo and > `mail.xinhua08.com` is present in other certificates. Such an issue makes me > wonder about the quality of their validation.
For the missed input subjectAltname in this case, as Jokob Bohm said, the CAA checking action couldn't prevent this from happening perfectly. We CFCA checked the production log, and this error is caused by operator's manual input. CFCA had finished system updates which would check TLD in common name and subjectAltnames automatically in February 27 update, the wrong TLD input will be reported as "invalid TLD " from the system after this update. More training had been done to operators. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
