The serial number you find in the subject of an EV certificate is the registration number of the company (Paypal Inc, in Delaware). There's absolutely no problem in having different certificates with this repeating serial number (in the subject), as long as they are delivered to the right company. What MUST be unique for a CA is the serialNumber of the certificate (the first element of the TBSCertificate structure, outside the subject).
Looks like paypal-communication.com is a legit domain owned by "Paypal, Inc". 2013/8/13 wasa bee <wasabe...@gmail.com> > given the images seen on the links, both certs are signed by the same > entity (i cannot see the pubKey ID but issuer names match), yet have the > same serial number 3014267. Isn't the (serial number + issuer pub key > identifier) supposed to be unique and identify a cert uniquely? > is it common practice for a CA to issue different certs (even to the same > entity) with the same serial number? > > > > On Tue, Aug 13, 2013 at 10:25 AM, Jeffrey Walton <noloa...@gmail.com>wrote: > >> On Tue, Aug 13, 2013 at 5:10 AM, Peter Gutmann >> <pgut...@cs.auckland.ac.nz> wrote: >> > I recently got a another of the standard phishing emails for Paypal, >> directing >> > me to https://email-edg.paypal.com, which redirects to >> > https://view.paypal-communication.com, which has a PayPal EV >> certificate from >> > Verisign. According to this post >> > http://www.onelogin.com/a-paypal-phishing-attack/ it may or may not be >> a >> > phishing attack (no-one's really sure), and this post >> > http://www.linuxevolution.net/?p=12 says it is a phishing attack and >> the site >> > will be shut down by Paypal... back in May 2011. >> > >> > Can anyone explain this? It's either a really clever phish (or the CAs >> are >> > following their historically lax levels of checking), or Paypal has >> joined the >> > ranks of US banks in training their users to become phishing victims. >> If that's true, I think the more interesting fact is: it appears >> email-edg.paypal.com is controlled by the attacker. Why else would >> Paypal redirect from a host in their domain to a host not in their >> domain controlled by the adversary? (Its a bit different than standard >> phishing training where both hosts/domains are controlled by Paypal). >> >> Has Paypal fess'ed up to any break-ins or breaches? >> >> Jeff >> _______________________________________________ >> cryptography mailing list >> cryptography@randombit.net >> http://lists.randombit.net/mailman/listinfo/cryptography >> > > > _______________________________________________ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography > > -- Erwann.
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
