My apologies, it was pointed out to me off list that two of these are pre-certs for other certs in that batch.
Alex On Thu, Aug 10, 2017 at 12:19 PM, Alex Gaynor <agay...@mozilla.com> wrote: > Hi IdenTrust, > > When you say that the remaining two are pre-certificates, are you > asserting that no corresponding certificate was ever issued? Or merely that > we can't prove one was based on what's in the existing CT logs? > > Alex > > On Thu, Aug 10, 2017 at 11:55 AM, identrust--- via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> On Thursday, August 10, 2017 at 12:23:55 AM UTC-4, Lee wrote: >> > What's it going to take for mozilla to set up near real-time >> > monitoring/auditing of certs showing up in ct logs? >> > >> > Lee >> > >> > On 8/9/17, Alex Gaynor via dev-security-policy >> > <dev-security-policy@lists.mozilla.org> wrote: >> > > (Whoops, accidentally originally CC'd to m.d.s originally! Original >> mail >> > > was to IdenTrust) >> > > >> > > Hi, >> > > >> > > The following certificates appear to be misissued: >> > > >> > > https://crt.sh/?id=77893170&opt=cablint >> > > https://crt.sh/?id=77947625&opt=cablint >> > > https://crt.sh/?id=78102129&opt=cablint >> > > https://crt.sh/?id=92235995&opt=cablint >> > > https://crt.sh/?id=92235998&opt=cablint >> > > >> > > All of these certificates have a pathLenConstraint value with >> CA:FALSE, >> > > this violates 4.2.1.9 of RFC 5280: CAs MUST NOT include the >> > > pathLenConstraint field unless the cA boolean is asserted and the key >> usage >> > > extension asserts the keyCertSign bit. >> > > >> > > Alex >> > > >> > > -- >> > > "I disapprove of what you say, but I will defend to the death your >> right to >> > > say it." -- Evelyn Beatrice Hall (summarizing Voltaire) >> > > "The people's good is the highest law." -- Cicero >> > > GPG Key fingerprint: D1B3 ADC0 E023 8CA6 >> > > >> > > >> > > >> > > >> > > -- >> > > "I disapprove of what you say, but I will defend to the death your >> right to >> > > say it." -- Evelyn Beatrice Hall (summarizing Voltaire) >> > > "The people's good is the highest law." -- Cicero >> > > GPG Key fingerprint: D1B3 ADC0 E023 8CA6 >> > > _______________________________________________ >> > > dev-security-policy mailing list >> > > dev-security-policy@lists.mozilla.org >> > > https://lists.mozilla.org/listinfo/dev-security-policy >> > > >> We aware of this situation and had previously introduced logic into our >> certificate authority that a pathLengthConstraint will never be set for a >> certificate other than a CA. We have confirmed that only the stated >> five (5) >> certificates contain the issue. Three (3) of these are real certificates; >> however, one has expired. We have revoked the other two certificates. The >> remaining two (2) are pre-certificates. >> >> _______________________________________________ >> dev-security-policy mailing list >> dev-security-policy@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-security-policy >> > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
