Thank you, Patrick, for pointing these out to us. DigiCert has been in the forefront pushing the move toward SHA-2. In fact, we've been issuing SHA-2 certificates by default to our customers for a couple of years now. We've communicated with these sub-CAs and requested that these certificates be revoked. We'll follow up with a status report on our efforts sometime next week. Sincerely yours, Ben Wilson DigiCert VP of Compliance
-----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+ben=digicert....@lists.mozilla.org] On Behalf Of Patrick Figel Sent: Friday, October 28, 2016 9:12 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: New SHA-1 certificates issued in 2016 I found a number of SHA-1 certificates chaining up to CAs trusted by Mozilla that have not been brought up on this list or on Bugzilla yet. Apologies in case I missed prior discussion for any of these, and kudos to censys for making this search incredibly easy. #1 https://crt.sh/?id=32335005&opt=cablint Common Name: portalcsg.siemens.com Serial: 1518050245 Not Before: Jul 12 14:01:45 2016 GMT Chains to: "Baltimore CyberTrust Root" (DigiCert) via: - Siemens Issuing CA Class Internet Server 2013 - Siemens Internet CA V1.0 #2 https://crt.sh/?id=32335007&opt=cablint Common Name: downloada.industrysoftware.automation.siemens.com Serial: 2087556804 Not Before: May 10 15:54:05 2016 GMT Chains to: "Baltimore CyberTrust Root" (DigiCert) via: - Siemens Issuing CA Class Internet Server 2013 - Siemens Internet CA V1.0 #3 https://crt.sh/?id=32331581&opt=cablint Common Name: VPN-PDC1.vodafone.com Serial: 77:00:1c:7f:f6:f8:7e:5d:d6:48:bf:72:4d:00:01:00:1c:7f:f6 Not Before: Jun 23 09:39:53 2016 GMT Chains to: "Baltimore CyberTrust Root" (DigiCert) via: - Vodafone (Corporate Services 2009) - Vodafone (Corporate Domain 2009) #4 https://crt.sh/?id=20279777&opt=cablint Common Name: styles.ag2rlamondiale.fr Serial: 11:21:79:9c:b3:3b:51:dd:43:a5:40:b5:a2:4b:81:38:b8:4a Not Before: May 23 12:02:20 2016 GMT Chains to: "Class 2 Primary CA" (DocuSign (OpenTrust/Keynectis)) via: - CLASS 2 KEYNECTIS CA #5 https://crt.sh/?id=23099350&opt=cablint Common Name: enterprisevault.dnb.no Serial: 7e:c3:58:c6:d5:0a:4a:7f:c6:be:ea:19:f3:f4:98:e5:9d:cd:df:41 Not Before: May 19 13:15:04 2016 GMT Chains to: "Baltimore CyberTrust Root" (DigiCert) via: - DnB NOR ASA PKI Class G - Eurida Primary CA #6 Don't know what to make of this one. It's a CA:true SHA-1 certificate. Not sure what the BRs/Mozilla's policies have to say about this: https://crt.sh/?id=21888899&opt=cablint Common Name: ACCV-CA3 Serial: 1246797330 Not Before: May 23 10:00:00 2016 GMT Chains to: "Root CA Generalitat Valenciana" (Government of Spain) #7 Some non-TLS-Server-Auth SHA-1 certificates chaining up to "Certum CA" (Asseco Data Systems S.A.). Most appear to be S/MIME or TLS client auth certificates, but I don't think the intermediates have any relevant technical constraints. I'm not sure if they're in scope for BRs/Mozilla, but here's the list in any case: https://crt.sh/?id=26427662&opt=cablint https://crt.sh/?id=32333872&opt=cablint https://crt.sh/?id=19594797&opt=cablint https://crt.sh/?id=24979702&opt=cablint _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
