On Mon, 26 Sep 2016 18:54:09 +0100 Gervase Markham <g...@mozilla.org> wrote:
> > The two *.zlbaba.com certificates (https://crt.sh/?id=30773543 and > > https://crt.sh/?id=31103218) do not appear to be matching to me: > > their public keys and serial numbers are different. > > The serial numbers of all the pairs are different (which is good; > issuing two certs with the same serial number is an RFC violation, see > Issues H and P). I've not done an analysis of whether the public keys > match for some of the pairs; feel free to do one if you like. If you > think two different public keys casts doubt on the idea that these two > certs were issued at the same time, feel free to think that. However, > the document does not stand or fall on whether or not these are > co-issued pairs or not; that is merely a conjecture to try and > establish how long the misissuance happened for, as we have no other > reliable dates. Fair enough. You should revise the following wording which says that the serial numbers and public keys are the same: > Many of the rest of the Macau certificates, which do not have an > embedded SCT to show when they were issued, have “matching” SHA-256 > versions issued at some point in 2016, with everything the same > except the issuing intermediate certificate, the hash algorithm and > the notBefore/notAfter dates It seems that the only similarity between matching certificates is the subject+SANs. (Plus EKU, AIA, CP, etc. but those are the same in all WoSign certificates.) Regards, Andrew _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy