> On Aug 10, 2017, at 07:55, Fiedler, Arno via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > Hello Jonathan, > > the certificate has 64 bits of entropy in the "DNqualifier" field instead of > the serial number field. > > Since 2012 we used this way of adding random bits to certificates to mitigate > preimage attacks > From a security perspective the amount of Entropy in the certificate should > be reasonable. > > Do you see a security need for revoking the certificate?
1) The dnQualifier appears to have a 33-bit number, not a 64-bit number. 2) One of the SAN dnsNames is "www.lbv-gis.brandenburg.de/lbvagszit”, which is clearly invalid. 3) The Baseline Requirements are extremely clear about this: > The CA SHALL revoke a Certificate within 24 hours if one or more of the > following occurs: > […] > 9. The CA is made aware that the Certificate was not issued in accordance > with these Requirements or the CA’s Certificate Policy or Certification > Practice Statement; So yes, I believe this certificate needs to be revoked immediately. It should have been revoked within 24 hours of learning about it. I believe July 20th was the latest date that you could have learned about it, when Gerv sent a notification to you. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy