This CA only issues client certificates:
DN: CN=Cartão de Cidadão 001, OU=ECEstado, O=SCEE - Sistema de Certificação Electrónica do Estado, C=PT Ben Wilson, JD, CISA, CISSP VP Compliance +1 801 701 9678 From: Paul Kehrer [mailto:paul.l.keh...@gmail.com] Sent: Tuesday, August 29, 2017 6:48 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Violations of Baseline Requirements 4.9.10 I've recently completed a scan of OCSP responders with a focus on checking whether they are compliant with BR section 4.9.10's requirement: "Effective 1 August 2013, OCSP responders for CAs which are not Technically Constrained in line with Section 7.1.5 MUST NOT respond with a "GOOD" status for such certificates." This rule was put in place in the wake of the DigiNotar incident as an additional method of ensuring the CA is aware of all issuances in its infrastructure and has been a requirement for over 4 years now. The scan was performed by taking the list of responders (and valid issuer name hash/issuer key hashes) that Andrew Ayer has aggregated and making an OCSP request for the serial number "0xdeadbeefdeadbeefdeadbeefdeadbeef". This serial is extremely unlikely to have been issued legitimately. The following OCSP responders appear to be non-compliant with the BRs (they respond GOOD and are not listed as technically constrained by crt.sh) but are embedded in certificates issued in paths that chain up to trusted roots in the Mozilla store. I have grouped them by owner where possible and put notes about whether they've been contacted: AS Sertifitseerimiskeskuse (SK) CCADB does not list an email address. Not CC'd. DN: C=EE, O=AS Sertifitseerimiskeskus, CN=EE Certification Centre Root CA, emailAddress=p...@sk.ee <mailto:p...@sk.ee> Example cert: https://crt.sh/?q=74d992d3910bcf7e34b8b5cd28f91eaeb4f41f3da6394d78b8c43672d43f4f0f OCSP URI: http://ocsp.sk.ee/CA Autoridad de Certificacion Firmaprofesional Email sent to i...@firmaprofesional.com <mailto:i...@firmaprofesional.com> DN: C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068 Example cert: https://crt.sh/?q=cd74198d4c23e4701dea579892321b9e4f47a08bd8374710b899aad1495a4b35 OCSP URI: http://ocsp.firmaprofesional.com DN: C=ES, emailAddress=c...@firmaprofesional.com <mailto:c...@firmaprofesional.com> , L=C/ Muntaner 244 Barcelona, OU=Consulte http://www.firmaprofesional.com, OU=Jerarquia de Certificacion Firmaprofesional, O=Firmaprofesional S.A. NIF A-62634068, CN=AC Firmaprofesional - CA1 Example cert: https://crt.sh/?q=649d5190f9fff58de60313c2f0598393f9dba05368b1dbfe93ec806015fb8796 OCSP URI: http://ocsp.firmaprofesional.com DN: C=ES, O=Firmaprofesional SA, OU=Certificados Digitales para la Administracion Publica, serialNumber=A62634068, CN=AC Firmaprofesional - AAPP Example cert: https://crt.sh/?q=d4ef928ee32c3838d40e5756b523829b1dafcd46fd84428ba03d59330a4ae5e7 OCSP URI: http://ocsp.firmaprofesional.com CA Disig a.s. Email sent to tspnot...@disig.sk <mailto:tspnot...@disig.sk> DN: C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig R1I1 Certification Service Example cert: https://crt.sh/?q=da74b18f3651bf90a8b2c07f8df294de19e441dcaa6913627261752199c302a2 OCSP URI: http://subcar1i1-ocsp.disig.sk/ocsp/subcar1i1 DN: C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig R2I2 Certification Service Example cert: https://crt.sh/?q=1a088e912ddb15a3b52ab1396af2a1ce0dcfab170e007e551f63231c76975417 OCSP URI: http://subcar2i2-ocsp.disig.sk/ocsp/subcar2i2 DN: C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R1 Example cert: https://crt.sh/?q=e1abb0faeaa7312f2c3e041cbd2df03a507e346b9716442463ed61106aff6947 OCSP URI: http://rootcar1-ocsp.disig.sk/ocsp/rootcar1 DN: C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R2 Example cert: https://crt.sh/?q=239ffa86d71033ba255914782057d87e8421aedd5910b786928b6a1248c3e341 OCSP URI: http://rootcar2-ocsp.disig.sk/ocsp/rootcar2 certSIGN Email sent to off...@certsign.ro <mailto:off...@certsign.ro> DN: C=RO, O=certSIGN, OU=certSIGN Enterprise CA Class 3 G2, CN=certSIGN Enterprise CA Class 3 G2 Example cert: https://crt.sh/?q=98ab1983ae9f6a6116e5010e3ab2b1b0bf266fa205a140b1bc1d340ff4ff6355 OCSP URI: http://ocsp.certsign.ro DN: C=RO, O=certSIGN, OU=certSIGN ROOT CA Example cert: https://crt.sh/?q=3003bf8853427c7b91023f7539853d987c58dc4e11bbe047d2a9305c01a6152c OCSP URI: http://ocsp.certsign.ro Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) CCADB does not list an email address. Not CC'd. DN: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), L=Passatge de la Concepcio 11 08008 Barcelona, OU=Serveis Publics de Certificacio ECV-2, OU=Vegeu https://www.catcert.net/verCIC-2 (c)03, OU=Administracions Locals de Catalunya, CN=EC-AL Example cert: https://crt.sh/?q=88f6298c5a8cc66cefb8ea214a528c3efce36a26213fe4fd260613967d39e7d4 OCSP URI: http://ocsp.catcert.net DN: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), L=Passatge de la Concepcio 11 08008 Barcelona, OU=Serveis Publics de Certificacio ECV-2, OU=Vegeu https://www.catcert.net/verCIC-2 (c)03, OU=Administracions Locals de Catalunya, CN=EC-AL Example cert: https://crt.sh/?q=1869a83f83b8f034336ab09fe52563c00c80c4b45897b3ea15e658fd14306208 OCSP URI: http://ocsp.catcert.net DN: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), L=Passatge de la Concepcio 11 08008 Barcelona, OU=Serveis Publics de Certificacio ECV-2, OU=Vegeu https://www.catcert.net/verCIC-2 (c)03, OU=Secretaria d'Administracio i Funcio Publica, CN=EC-SAFP Example cert: https://crt.sh/?q=15d3c7463f477e2627c4c9a158e429abd6bfe63101d6745560a36d1c03363d30 OCSP URI: http://ocsp.catcert.net DN: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), L=Passatge de la Concepcio 11 08008 Barcelona, OU=Serveis Publics de Certificacio ECV-2, OU=Vegeu https://www.catcert.net/verCIC-2 (c)03, OU=Universitats i Recerca, CN=EC-UR Example cert: https://crt.sh/?q=7432b4c29e1360668814ec282ad78208cd521e62b8d8d60d5084fdf8daad57cb OCSP URI: http://ocsp.catcert.net DN: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), L=Passatge de la Concepcio 11 08008 Barcelona, OU=Serveis Publics de Certificacio ECV-2, OU=Vegeu https://www.catcert.net/verCIC-2 (c)03, OU=Universitats i Recerca, CN=EC-UR Example cert: https://crt.sh/?q=3148d57a495fd7bdf4653dfdd3d3c9d186547df42e296c4e1b6a7c679179d03f OCSP URI: http://ocsp.catcert.net DN: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), L=Passatge de la Concepcio 11 08008 Barcelona, OU=Serveis Publics de Certificacio, OU=Vegeu https://www.catcert.net/verCIC-3 (c)05, OU=Universitat Rovira i Virgili, CN=EC-URV Example cert: https://crt.sh/?q=caa2a1fe7756bd5e227add40c5e06808dc0a79f1e8c93e4bf982df4893b284e4 OCSP URI: http://ocsp.catcert.net DN: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis Publics de Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=Jerarquia Entitats de Certificacio Catalanes, CN=EC-ACC Example cert: https://crt.sh/?q=356a5f4d994e9efa7caefc491768911d65ec25977465b610e2f29aa4472631c3 OCSP URI: http://ocsp.catcert.net DN: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis Publics de Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=Jerarquia Entitats de Certificacio Catalanes, CN=EC-ACC Example cert: https://crt.sh/?q=20d082b1f53252e33cee5991be8650b414f11f3af16a14295c2fee0c9ab558c2 OCSP URI: http://ocsp.catcert.net DigiCert: Email sent to rev...@digicert.com <mailto:rev...@digicert.com> DN: C=CH, L=Zurich, O=ABB, CN=ABB Issuing CA 6 Example cert: https://crt.sh/?id=16963460 OCSP URI: http://aia.pki.abb.com/ocsp DN: CN=Cartão de Cidadão 001, OU=ECEstado, O=SCEE - Sistema de Certificação Electrónica do Estado, C=PT Example cert: https://crt.sh/?id=12729446 OCSP URI: http://ocsp.root.cartaodecidadao.pt/publico/ocsp DN: C=PT, O=MULTICERT - Serviços de Certificação Electrónica S.A., OU=Accredited Certification Authority, CN=MULTICERT Certification Authority 002 Example cert: https://crt.sh/?id=117934576 OCSP URI: http://ocsp.multicert.com/ocsp OCSP URI: http://ocsp.multicert.com/procsp DN: C=PT, O=MULTICERT - Serviços de Certificação Electrónica S.A., OU=Entidade de Certificação Credenciada, CN=MULTICERT - Entidade de Certificação 001 Example cert: https://crt.sh/?id=11653177 OCSP URI: http://ocsp.multicert.com/ocsp DN: DC=com, DC=sanpaoloimi, DC=corp, CN=Intesa Sanpaolo CA Servizi Esterni Example cert: https://crt.sh/?id=10915119 OCSP URI: http://ocsp.intesasanpaolo.com DN: DC=com, DC=sanpaoloimi, DC=corp, CN=Intesa Sanpaolo CA Servizi Esterni Enhanced Example cert: https://crt.sh/?id=119601976 OCSP URI: http://ocsp.intesasanpaolo.com DigiCert/Government of Portugal, Sistema de Certificação Electrónica do Estado (SCEE) / Electronic Certification System of the State: DN: C=PT, O=SCEE, CN=ECRaizEstado Example cert: https://crt.sh/?id=8322256 OCSP URI: http://ocsp.ecee.gov.pt DigiCert/Wells Fargo Bank, N.A.: DN: Wells Fargo WellsSecure, OU=Wells Fargo Bank NA, CN=WellsSecure Public Root Certification Authority 01 G2 Example cert: https://crt.sh/?id=2029493 OCSP URI: http://validator.wellsfargo.com/ DocuSign (OpenTrust/Keynectis) CCADB does not list an email address. Not CC'd. DN: C=FR, O=OpenTrust, OU=0002 478217318, CN=OpenTrust CA for AATL G1 Example cert: https://crt.sh/?q=8e409aaa332930d32acbab3b514c3e116b1b4d8cc6cf3dfc016a05f9c266f597 OCSP URI: http://get-ocsp.certificat.com/opentrustcaforaatlg1 Government of The Netherlands, PKIoverheid (Logius) Email sent to supp...@quovadisglobal.com <mailto:supp...@quovadisglobal.com> DN: C=NL, O=KPN Corporate Market BV, CN=KPN Corporate Market CSP Organisatie CA - G2 Example cert: https://crt.sh/?q=f821a600af00d2fa23f569e00fdf2379bc182920205a6b9b0276733cb2857c15 OCSP URI: http://ocsp2.managedpki.com IdenTrust CCADB does not list an email address. Not CC'd. DN: C=US, O=Digital Signature Trust, OU=DST ACES, CN=DST ACES CA X6 Example cert: https://crt.sh/?id=136954 OCSP URI: https://publicsector.ocsp.identrust.com (note this is https as well) Izenpe S.A. CCADB does not list an email address. Not CC'd. DN: C=ES, O=IZENPE S.A., CN=Izenpe.com Example cert: https://crt.sh?q=b08c196a2ed1e84f9892db1b61219ceb642882478f39b08719603d0735fa03d1 OCSP URI: http://ocsp.izenpe.com OCSP URI: http://ocsp.izenpe.com:8094 PROCERT CCADB does not list an email address. Not CC'd. However, this is already under discussion (among other issues) in https://bugzilla.mozilla.org/show_bug.cgi?id=1391058 DN: emailAddress=conta...@procert.net.ve <mailto:conta...@procert.net.ve> , L=Chacao, ST=Miranda, OU=Proveedor de Certificados PROCERT, O=Sistema Nacional de Certificacion Electronica, C=VE, CN=PSCProcert Example cert: https://crt.sh/?id=109516168 OCSP URI: http://ura.procert.net.ve/ocsp SECOM Trust Systems Co. Ltd. Email sent to ca-supp...@ml.secom-sts.co.jp <mailto:ca-supp...@ml.secom-sts.co.jp> DN: C=JP, L=Academe, O=National Institute of Informatics, CN=NII Open Domain CA - G4 Example cert: https://crt.sh/?q=fc1c83a714148a269d787b4cd306b8f19165f1829b1b280c40315f03f85a9964 OCSP URI: http://niig4.ocsp.secomtrust.net DN: C=JP, O=CrossTrust, CN=CrossTrust DV CA3 Example cert: https://crt.sh/?q=525ae2e9fc4901507d30f7f381af765a81bd7276353651594be323205f5c93ef OCSP URI: http://dvca3.ocsp.crosstrust.net DN: C=JP, O=CrossTrust, CN=CrossTrust OV CA3 Example cert: https://crt.sh/?q=1857ba98deb0a30c2f6e5f064381420bae0a3bd1df2b6652a525a66b7030d505 OCSP URI: http://ovca3.ocsp.crosstrust.net DN: C=JP, O="FreeBit Co.,Ltd.", CN=YourNet SSL for business2 Example cert: https://crt.sh/?q=70a530cc67a67a1d1b010aad8370609f407d2d91987b59e5f71e51921f58a346 OCSP URI: http://freebitov2.ocsp.secomtrust.net DN: C=JP, O="FreeBit Co.,Ltd.", CN=YourNet SSL for domain2 Example cert: https://crt.sh/?q=731421bd0429723c8bb562ea469dba90095e790ed8c22482b32cbcd26f7c4235 OCSP URI: http://freebitdv2.ocsp.secomtrust.net DN: C=JP, O=FUJIFILM, CN=FUJIFILM Fnet CA - S Example cert: https://crt.sh/?q=3e1b4f7a037a7c8d830329b02f91a37405bb369639bebeb777b2b150204b995b OCSP URI: http://fnetcas.ocsp.secomtrust.net DN: C=JP, O=Fuji Xerox, CN=Fuji Xerox Xnet CA - S Example cert: https://crt.sh/?q=78606d4c88f75e783d39139d664889a4910d7146ae3b1da7b24c81f3df909b39 OCSP URI: http://xnetcas.ocsp.secomtrust.net DN: C=JP, O=INTEC INC., CN=EINS/PKI Public Certification Authority V2 Example cert: https://crt.sh/?q=90f07f5ae79e83cf8c75f946df031a165fa2553f3a3d04ae62368f81773a717f OCSP URI: http://intec.ocsp.secomtrust.net DN: C=JP, O=INTEC INC., CN=EINS/PKI Public Certification Authority V3 Example cert: https://crt.sh/?q=ad72b76954165daf1b9021c1fb2b9b648e978dc9862a525a88274ec1b7e9f61f OCSP URI: http://intec2.ocsp.secomtrust.net DN: C=JP, O="Japan Registry Services Co., Ltd.", CN=JPRS Domain Validation Authority - G1 Example cert: https://crt.sh/?q=22a04b51e2be5e12726357431ee2568d707515c1f3f094123a391acb540acebb OCSP URI: http://dv.ocsp.pubcert.jprs.jp DN: C=JP, O="Japan Registry Services Co., Ltd.", CN=JPRS Organization Validation Authority - G1 Example cert: https://crt.sh/?q=30748bde0a6fc2802e638511516745141f95c08b8bdf44e69bfb96b0ff2d7ad2 OCSP URI: http://ov.ocsp.pubcert.jprs.jp DN: C=JP, O=KAGOYA JAPAN Inc., CN=KAGOYA JAPAN Certification Authority Example cert: https://crt.sh/?q=5d2c95d1995e2dbce6f6db38eee7fbe5782965b3e24cec3c483761a4b09cf1a2 OCSP URI: http://kagoya.ocsp.secomtrust.net DN: C=JP, O=KDDI Web Communications Inc., CN=KDDI Web Communications Certification Authority Example cert: https://crt.sh/?q=0edc6f278d94a6a0c58f39169ba369b3e0273813bdad4c43e4a525c73ff9ed66 OCSP URI: http://kddiweb.ocsp.secomtrust.net DN: C=JP, O="Nijimo, Inc.", CN=FujiSSL Public Certification Authority - G1 Example cert: https://crt.sh/?q=460d994d73ed6b1db484dac0d525fcb3fbfdd2a0982183788c917c4b1d03d839 OCSP URI: http://nijimo.ocsp.secomtrust.net DN: C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1 Example cert: https://crt.sh/?q=c415cebfa3fc2ef3c74092b84265bad64c3fc9994c91177965667d7abee90588 OCSP URI: http://scrootca1.ocsp.secomtrust.net DN: C=JP, O="SECOM Trust Systems CO.,LTD.", CN=SECOM Passport for Web EV 2.0 CA Example cert: https://crt.sh/?q=9cf126826bb66aa8b40cc33ca6410e789982373342218d4fd8d6da7d71a88914 OCSP URI: http://ev2.ocsp.secomtrust.net DN: C=JP, O="SECOM Trust Systems CO.,LTD.", CN=SECOM Passport for Web EV CA Example cert: https://crt.sh/?q=92ad0dd7ae67012cb96b33a96d24207f883af033d587deab402c70644d98e5be OCSP URI: http://ev.ocsp.secomtrust.net DN: C=JP, O="SECOM Trust Systems CO.,LTD.", CN=SECOM Passport for Web MH CA Example cert: https://crt.sh/?q=06ea91549c4c2d7aaf1b8c4b7c13ca25dc9456b2c187900b7c196a52561d08c0 OCSP URI: http://mh.ocsp.secomtrust.net DN: C=JP, O="SECOM Trust Systems CO.,LTD.", CN=SECOM Passport for Web SR 3.0 CA Example cert: https://crt.sh/?q=625ee6aaca95caf9d8b130bc0ce1903286e90ccf32d014b1410e0fc8ad9a34c2 OCSP URI: http://sr30.ocsp.secomtrust.net DN: C=JP, O="SECOM Trust Systems CO.,LTD.", OU=Security Communication EV RootCA1 Example cert: https://crt.sh/?q=cbe221580a9800b7e4608d21f7d59e539a64d5c3996c722cf2cde908aa89d4ba OCSP URI: http://evroot.ocsp.secomtrust.net DN: C=JP, O="SECOM Trust Systems CO.,LTD.", OU=Security Communication RootCA2 Example cert: https://crt.sh/?q=7cf75f006ccff8da30d6ea2a2f7c50d0447aa2513ff4a4a37bf292470bba8c85 OCSP URI: http://scrootca2.ocsp.secomtrust.net DN: C=JP, O=XiPS, CN=XiPS CA2 Example cert: https://crt.sh/?q=ae7a6dcb4ead3fae08aa340576595bd02261c2e002f016a83374b3a70446cd06 OCSP URI: http://xips2.ocsp.secomtrust.net Symantec / GeoTrust CCADB does not list an email address. Not CC'd. DN: C=IT, O=UniCredit S.p.A., CN=UniCredit Subordinate External Example cert: https://crt.sh/?q=049462100743d2bcb10780e7c4eb2ce1197a3f8bea7fad5ef9141f008eb1e6ca OCSP URI: http://ocsp.unicredit.eu/ocsp Visa Email sent to pkipol...@visa.com <mailto:pkipol...@visa.com> DN: C=US, O=VISA, OU=Visa International Service Association, CN=Visa eCommerce Issuing CA Example cert: https://crt.sh/?id=53550125 OCSP URI: http://ocsp.visa.com/ocsp -Paul
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy