On 01/19/16 03:23, Kurt Roeckx wrote: > On Tue, Jan 19, 2016 at 01:49:21AM +0000, Charles Reiss wrote: >> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this >> year >> which chain to root CAs in Mozilla's program: > > I also have some from C=US,O=VeriSign\, Inc.,OU=VeriSign Trust > Network,OU=Terms of use at https://www.verisign.com/rpa > (c)10,CN=VeriSign Class 3 International Server CA - G3". I'm not > sure that CA is still included, but I think it it. > > It includes certificates like C=US,ST=California,L=Mountain > View,O=Symantec Corp.,CN=psslnoov.symantec.com
https://crt.sh/?id=11876802 would be an example then. The Class 3 Internal Server CA - G3 appears to have a cert issued from "VeriSign Class 3 Public Primary Certification Authority - G5", which is an included CA with the websites trust bit enabled. > I didn't have time to file bugs for this yet. > > > Kurt > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy