On 05/02/16 21:43, Charles Reiss wrote:
On 02/05/16 20:13, martin.suc...@gmail.com wrote:
Here's a list of all certificates with SHA-1 signatures and notBefore >=
2016-01-01, logged in the Certificate Transparency Log:
https://crt.sh/?cablint=211&minNotBefore=2016-01-01
Some notes on how these look as of now. The listed subCA CNs are:
- DOD CA-28
- DOD CA-27
These chain to DST ACES CA X6, see
https://bugzilla.mozilla.org/show_bug.cgi?id=1037590#c21 and
https://cabforum.org/pipermail/public/2016-February/006696.html
- Intel External Basic Issuing CA 3A
These chain through a technically constrained subordinate CA
https://crt.sh/?id=1250505
- Symantec Private SSL SHA1 CA
These chain to the 1024-bit VeriSign roots 'Class 3 Public Primary
Certification Authority' and 'Class 3 Public Primary Certification
Authority - G2' which are no longer included in Mozilla's root program.
"Class 3 Public Primary Certification Authority - G2" is still trusted
for serverAuthentication in Microsoft's root program.
Curiously, the similar COMODO CA 'COMODO Domain Validation Legacy Server
CA 2' (chains to retired root 'UTN - DATACorp SGC') appears to be
exempted from listing? (example cert:
https://crt.sh/?id=12584167&opt=cablint)
On the crt.sh database I'd marked "COMODO Domain Validation Legacy
Server CA 2" as out-of-scope for cablint checks, on the grounds that the
root (UTN - DATACorp SGC) has been (or is waiting to be) pulled from
root programs that demand BR compliance.
However, I'm going to add it back in-scope. We (Comodo) currently
intend that new certs issued under "UTN - DATACorp SGC" will adhere to
the BRs in every way except for SHA-1. It would be useful for crt.sh /
cablint to spot any unintended issues.
- VeriSign Class 3 Secure Server CA - G3
- VeriSign Class 3 International Server CA - G3
I believe these are the certs at
https://cabforum.org/pipermail/public/2016-January/006519.html or
precertificates for them.
- RSA Corporate Server CA v2
- DnB NOR ASA PKI Class G
- Shared Business CA 3
- TI Trust Technologies Global CA
- Postecom CS3
- Aetna Inc. Certificate Authority
- SHECA
- AC Infrastructure
- YourNet SSL for business
- Verizon Public SureServer CA G14-SHA1
These have been mentioned here previously.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
