Hi IdenTrust, When you say that the remaining two are pre-certificates, are you asserting that no corresponding certificate was ever issued? Or merely that we can't prove one was based on what's in the existing CT logs?
Alex On Thu, Aug 10, 2017 at 11:55 AM, identrust--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thursday, August 10, 2017 at 12:23:55 AM UTC-4, Lee wrote: > > What's it going to take for mozilla to set up near real-time > > monitoring/auditing of certs showing up in ct logs? > > > > Lee > > > > On 8/9/17, Alex Gaynor via dev-security-policy > > <dev-security-policy@lists.mozilla.org> wrote: > > > (Whoops, accidentally originally CC'd to m.d.s originally! Original > mail > > > was to IdenTrust) > > > > > > Hi, > > > > > > The following certificates appear to be misissued: > > > > > > https://crt.sh/?id=77893170&opt=cablint > > > https://crt.sh/?id=77947625&opt=cablint > > > https://crt.sh/?id=78102129&opt=cablint > > > https://crt.sh/?id=92235995&opt=cablint > > > https://crt.sh/?id=92235998&opt=cablint > > > > > > All of these certificates have a pathLenConstraint value with CA:FALSE, > > > this violates 4.2.1.9 of RFC 5280: CAs MUST NOT include the > > > pathLenConstraint field unless the cA boolean is asserted and the key > usage > > > extension asserts the keyCertSign bit. > > > > > > Alex > > > > > > -- > > > "I disapprove of what you say, but I will defend to the death your > right to > > > say it." -- Evelyn Beatrice Hall (summarizing Voltaire) > > > "The people's good is the highest law." -- Cicero > > > GPG Key fingerprint: D1B3 ADC0 E023 8CA6 > > > > > > > > > > > > > > > -- > > > "I disapprove of what you say, but I will defend to the death your > right to > > > say it." -- Evelyn Beatrice Hall (summarizing Voltaire) > > > "The people's good is the highest law." -- Cicero > > > GPG Key fingerprint: D1B3 ADC0 E023 8CA6 > > > _______________________________________________ > > > dev-security-policy mailing list > > > dev-security-policy@lists.mozilla.org > > > https://lists.mozilla.org/listinfo/dev-security-policy > > > > We aware of this situation and had previously introduced logic into our > certificate authority that a pathLengthConstraint will never be set for a > certificate other than a CA. We have confirmed that only the stated > five (5) > certificates contain the issue. Three (3) of these are real certificates; > however, one has expired. We have revoked the other two certificates. The > remaining two (2) are pre-certificates. > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
