On 19/01/2016 02:49, Charles Reiss wrote:
Via censys.io, I found a couple SHA-1 certs with notBefore dates from this year
which chain to root CAs in Mozilla's program:
- https://crt.sh/?id=12089828 -- chains to Baltimore CyberTrust Root [DigiCert]
via subCA "Eurida Primary CA" via subCA "DnB NOR ASA PKI Class G"
Also, the OCSP responder for this certificate appears to not include a
nextUpdate field.
Does the OCSP spec say what "no nextUpdate" should default to? Like
maybe "dontcache, expires instantly".
- https://crt.sh/?id=12090324 -- chains to Security Communication RootCA1
[SECOM] via subCA "YourNet SSL for business"
Also, this certificate is also missing OCSP information and appears to be being
served without OCSP stapling support.
If there is no OCSP, it obviously cannot be stapled.
In addition to the above, note that *code signing* and *document
signing* certificates may be issued after the deadline for SSL SHA-1
certificates, because some important relying party software cannot be
upgraded to support modern signature hash algorithms (most notably
Microsoft platforms released before 2009).
Such compatibility SHA-1 certificates typically have to chain to
existing roots too (again because of relying party software
limitations).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
