Re: Misissued certificates

Thu, 10 Aug 2017 08:55:28 -0700 

On Thursday, August 10, 2017 at 12:23:55 AM UTC-4, Lee wrote:
> What's it going to take for mozilla to set up near real-time
> monitoring/auditing of certs showing up in ct logs?
> 
> Lee
> 
> On 8/9/17, Alex Gaynor via dev-security-policy
> <dev-security-policy@lists.mozilla.org> wrote:
> > (Whoops, accidentally originally CC'd to m.d.s originally! Original mail
> > was to IdenTrust)
> >
> > Hi,
> >
> > The following certificates appear to be misissued:
> >
> > https://crt.sh/?id=77893170&opt=cablint
> > https://crt.sh/?id=77947625&opt=cablint
> > https://crt.sh/?id=78102129&opt=cablint
> > https://crt.sh/?id=92235995&opt=cablint
> > https://crt.sh/?id=92235998&opt=cablint
> >
> > All of these certificates have a pathLenConstraint value with CA:FALSE,
> > this violates 4.2.1.9 of RFC 5280: CAs MUST NOT include the
> > pathLenConstraint field unless the cA boolean is asserted and the key usage
> > extension asserts the keyCertSign bit.
> >
> > Alex
> >
> > --
> > "I disapprove of what you say, but I will defend to the death your right to
> > say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
> > "The people's good is the highest law." -- Cicero
> > GPG Key fingerprint: D1B3 ADC0 E023 8CA6
> >
> >
> >
> >
> > --
> > "I disapprove of what you say, but I will defend to the death your right to
> > say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
> > "The people's good is the highest law." -- Cicero
> > GPG Key fingerprint: D1B3 ADC0 E023 8CA6
> > _______________________________________________
> > dev-security-policy mailing list
> > dev-security-policy@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-security-policy
> >
We aware of this situation and had previously introduced logic into our
certificate authority that a pathLengthConstraint will never be set for a
certificate other than a CA.  We have confirmed that only the stated 
five (5)
certificates contain the issue.  Three (3) of these are real certificates;
however, one has expired. We have revoked the other two certificates. The
remaining two (2) are pre-certificates.
 
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to