As we might have expected, following Symantec's goof last week, they have now initiated a formal application on behalf of TSYS
https://cabforum.org/pipermail/public/2016-July/007999.html I haven't been able to find the "version 1.1" process referred to in that post, version 1.0 was proposed by Andrew Whalley of Google back in June. Unless version 1.1 changes things significantly, the purpose of publishing the to-be-signed certificates (tbsCertificates) is to obtain feedback on their contents, so that the risk being taken is understood in advance of signing. These appear to be essentially the same identities as for the mis-issued certificates from the earlier thread. They are in most respects other than the use of SHA-1 unremarkable (it seems to me -- I encourage others, particularly those with a lot of ASN.1 knowledge, to inspect for themselves) but one thing stands out to me All of the certificate subjects have either TDS-2-Ashburn-SCA-bbL6gMDyTZU8 or TDS-2-Dallas-SCA-v2PmB4cxayEu as the OU The trailing part of each name appears to be gibberish. It seems very unlikely to me that there really is a "business unit" or "department" or even a meeting room at TSYS named bbL6gMDyTZU8. So presumably this value serves some other purpose. IF prior SHA-1 certificates for TSYS FQDNs also had this unusual characteristic it might be less surprising (though I would still wonder what it was for) but looking back in crt.sh I can't see such gibberish in older certificates for TSYS FQDNs. e.g. this one, issued in 2015 and expired earlier this year has the unremarkable OU = TDS-NewYork https://crt.sh/?id=14854100 Does anyone know already of an explanation for the gibberish OU values in the to-be-signed certificates disclosed in this application ? If not, I believe that Mozilla should ask TSYS to explain these values or, if they cannot be justified, that it should request the application start fresh with a subject DN that matches one issued _prior_ to the 2016 moratorium as a show of good faith. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
