Hello Kathleen, we revoked all SHA-1 certificates issued this year:
00a5401e9bafb23523 (Tuesday, February 2, 2016, 11:35:53) 009d79636c84ece62a (Tuesday, February 2, 2016, 11:37:25) 008e6c17cd66006c11 (Tuesday, February 2, 2016, 11:38:45) 2318da5c1485012e (Friday, January 29, 2016, 12:37:36) 6dfb9ccc0c5333c6 (Friday, January 29, 2016, 15:10:30) 7d5e244530e38c13 (Friday, January 29, 2016, 13:54:00) 00bdcda1e1e9b358e8 (Friday, January 29, 2016, 13:55:09) 008ab83981f725ff48 (Friday, January 29, 2016, 13:57:51) The corresponding CRL: http://crl.sbca.telesec.de/rl/Shared_Business_CA_3.crl Best regards, Bernd T-Systems International GmbH Trust Center Applications -----Ursprüngliche Nachricht----- Von: dev-security-policy [mailto:dev-security-policy-bounces+bernd.nakonzer=t-systems....@lists.mozilla.org] Im Auftrag von Kathleen Wilson Gesendet: Freitag, 29. Januar 2016 22:44 An: mozilla-dev-security-pol...@lists.mozilla.org Betreff: Re: SHA1 certs issued this year chaining to included roots On 1/25/16 12:22 AM, Charles Reiss wrote: > On 01/19/16 01:49, Charles Reiss wrote: >> Via censys.io, I found a couple SHA-1 certs with notBefore dates from >> this year which chain to root CAs in Mozilla's program: > [snip] > > And here are a couple more, from different subCAs: > > - https://crt.sh/?id=12131821 -- chaining to Deutsche Telekom Root CA > 2 [T-Systems] via subCA "Shared Business CA 3" > I received email from Bernd of T-Systems saying that from 1 January 2016, 8 SHA‐1 subscriber certificates (SSL) were issued via sub-CA "Shared Business CA 3" (chaining to “Deutsche Telekom Root CA 2”) – because of converging use cases. Other T-Systems CAs were not affected. The problem has been fixed, so SHA-1 certs can no longer be issued. The 8 certs will be revoked on February 5 and the corresponding CRL will be updated/published. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy