Hi Ben, I'm not sure it should matter that a CA _does_ only issue client certs -- in the DigiNotar-style situation for which this rule was envisioned, the relevant thing is whether the cert is _capable_ of issuing server certs.
Alex On Tue, Aug 29, 2017 at 12:43 PM, Ben Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > This CA only issues client certificates: > > > > DN: CN=Cartão de Cidadão 001, OU=ECEstado, O=SCEE - Sistema de > Certificação Electrónica do Estado, C=PT > > > > > > Ben Wilson, JD, CISA, CISSP > > VP Compliance > > +1 801 701 9678 > > > > > > From: Paul Kehrer [mailto:paul.l.keh...@gmail.com] > Sent: Tuesday, August 29, 2017 6:48 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Violations of Baseline Requirements 4.9.10 > > > > I've recently completed a scan of OCSP responders with a focus on checking > whether they are compliant with BR section 4.9.10's requirement: "Effective > 1 August 2013, OCSP responders for CAs which are not Technically > Constrained in line with Section 7.1.5 MUST NOT respond with a "GOOD" > status for such certificates." This rule was put in place in the wake of > the DigiNotar incident as an additional method of ensuring the CA is aware > of all issuances in its infrastructure and has been a requirement for over > 4 years now. > > > > The scan was performed by taking the list of responders (and valid issuer > name hash/issuer key hashes) that Andrew Ayer has aggregated and making an > OCSP request for the serial number "0xdeadbeefdeadbeefdeadbeefdeadbeef". > This serial is extremely unlikely to have been issued legitimately. > > > > The following OCSP responders appear to be non-compliant with the BRs > (they respond GOOD and are not listed as technically constrained by crt.sh) > but are embedded in certificates issued in paths that chain up to trusted > roots in the Mozilla store. I have grouped them by owner where possible and > put notes about whether they've been contacted: > > > > AS Sertifitseerimiskeskuse (SK) > > > > CCADB does not list an email address. Not CC'd. > > > > DN: C=EE, O=AS Sertifitseerimiskeskus, CN=EE Certification Centre Root CA, > emailAddress=p...@sk.ee <mailto:p...@sk.ee> > > Example cert: https://crt.sh/?q=74d992d3910bcf7e34b8b5cd28f91e > aeb4f41f3da6394d78b8c43672d43f4f0f > > OCSP URI: http://ocsp.sk.ee/CA > > > > Autoridad de Certificacion Firmaprofesional > > > > Email sent to i...@firmaprofesional.com <mailto:i...@firmaprofesional.com> > > > > DN: C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068 > > Example cert: https://crt.sh/?q=cd74198d4c23e4701dea579892321b > 9e4f47a08bd8374710b899aad1495a4b35 > > OCSP URI: http://ocsp.firmaprofesional.com > > > > DN: C=ES, emailAddress=c...@firmaprofesional.com <mailto: > c...@firmaprofesional.com> , L=C/ Muntaner 244 Barcelona, OU=Consulte > http://www.firmaprofesional.com, OU=Jerarquia de Certificacion > Firmaprofesional, O=Firmaprofesional S.A. NIF A-62634068, CN=AC > Firmaprofesional - CA1 > > Example cert: https://crt.sh/?q=649d5190f9fff58de60313c2f05983 > 93f9dba05368b1dbfe93ec806015fb8796 > > OCSP URI: http://ocsp.firmaprofesional.com > > > > DN: C=ES, O=Firmaprofesional SA, OU=Certificados Digitales para la > Administracion Publica, serialNumber=A62634068, CN=AC Firmaprofesional - > AAPP > > Example cert: https://crt.sh/?q=d4ef928ee32c3838d40e5756b52382 > 9b1dafcd46fd84428ba03d59330a4ae5e7 > > OCSP URI: http://ocsp.firmaprofesional.com > > > > CA Disig a.s. > > > > Email sent to tspnot...@disig.sk <mailto:tspnot...@disig.sk> > > > > DN: C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig R1I1 Certification > Service > > Example cert: https://crt.sh/?q=da74b18f3651bf90a8b2c07f8df294 > de19e441dcaa6913627261752199c302a2 > > OCSP URI: http://subcar1i1-ocsp.disig.sk/ocsp/subcar1i1 > > > > DN: C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig R2I2 Certification > Service > > Example cert: https://crt.sh/?q=1a088e912ddb15a3b52ab1396af2a1 > ce0dcfab170e007e551f63231c76975417 > > OCSP URI: http://subcar2i2-ocsp.disig.sk/ocsp/subcar2i2 > > > > DN: C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R1 > > Example cert: https://crt.sh/?q=e1abb0faeaa7312f2c3e041cbd2df0 > 3a507e346b9716442463ed61106aff6947 > > OCSP URI: http://rootcar1-ocsp.disig.sk/ocsp/rootcar1 > > > > DN: C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R2 > > Example cert: https://crt.sh/?q=239ffa86d71033ba255914782057d8 > 7e8421aedd5910b786928b6a1248c3e341 > > OCSP URI: http://rootcar2-ocsp.disig.sk/ocsp/rootcar2 > > > > certSIGN > > > > Email sent to off...@certsign.ro <mailto:off...@certsign.ro> > > > > DN: C=RO, O=certSIGN, OU=certSIGN Enterprise CA Class 3 G2, CN=certSIGN > Enterprise CA Class 3 G2 > > Example cert: https://crt.sh/?q=98ab1983ae9f6a6116e5010e3ab2b1 > b0bf266fa205a140b1bc1d340ff4ff6355 > > OCSP URI: http://ocsp.certsign.ro > > > > DN: C=RO, O=certSIGN, OU=certSIGN ROOT CA > > Example cert: https://crt.sh/?q=3003bf8853427c7b91023f7539853d > 987c58dc4e11bbe047d2a9305c01a6152c > > OCSP URI: http://ocsp.certsign.ro > > > > Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) > > > > CCADB does not list an email address. Not CC'd. > > > > DN: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), L=Passatge > de la Concepcio 11 08008 Barcelona, OU=Serveis Publics de Certificacio > ECV-2, OU=Vegeu https://www.catcert.net/verCIC-2 (c)03, > OU=Administracions Locals de Catalunya, CN=EC-AL > > Example cert: https://crt.sh/?q=88f6298c5a8cc66cefb8ea214a528c > 3efce36a26213fe4fd260613967d39e7d4 > > OCSP URI: http://ocsp.catcert.net > > > > DN: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), L=Passatge > de la Concepcio 11 08008 Barcelona, OU=Serveis Publics de Certificacio > ECV-2, OU=Vegeu https://www.catcert.net/verCIC-2 (c)03, > OU=Administracions Locals de Catalunya, CN=EC-AL > > Example cert: https://crt.sh/?q=1869a83f83b8f034336ab09fe52563 > c00c80c4b45897b3ea15e658fd14306208 > > OCSP URI: http://ocsp.catcert.net > > > > DN: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), L=Passatge > de la Concepcio 11 08008 Barcelona, OU=Serveis Publics de Certificacio > ECV-2, OU=Vegeu https://www.catcert.net/verCIC-2 (c)03, OU=Secretaria > d'Administracio i Funcio Publica, CN=EC-SAFP > > Example cert: https://crt.sh/?q=15d3c7463f477e2627c4c9a158e429 > abd6bfe63101d6745560a36d1c03363d30 > > OCSP URI: http://ocsp.catcert.net > > > > DN: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), L=Passatge > de la Concepcio 11 08008 Barcelona, OU=Serveis Publics de Certificacio > ECV-2, OU=Vegeu https://www.catcert.net/verCIC-2 (c)03, OU=Universitats i > Recerca, CN=EC-UR > > Example cert: https://crt.sh/?q=7432b4c29e1360668814ec282ad782 > 08cd521e62b8d8d60d5084fdf8daad57cb > > OCSP URI: http://ocsp.catcert.net > > > > DN: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), L=Passatge > de la Concepcio 11 08008 Barcelona, OU=Serveis Publics de Certificacio > ECV-2, OU=Vegeu https://www.catcert.net/verCIC-2 (c)03, OU=Universitats i > Recerca, CN=EC-UR > > Example cert: https://crt.sh/?q=3148d57a495fd7bdf4653dfdd3d3c9 > d186547df42e296c4e1b6a7c679179d03f > > OCSP URI: http://ocsp.catcert.net > > > > DN: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), L=Passatge > de la Concepcio 11 08008 Barcelona, OU=Serveis Publics de Certificacio, > OU=Vegeu https://www.catcert.net/verCIC-3 (c)05, OU=Universitat Rovira i > Virgili, CN=EC-URV > > Example cert: https://crt.sh/?q=caa2a1fe7756bd5e227add40c5e068 > 08dc0a79f1e8c93e4bf982df4893b284e4 > > OCSP URI: http://ocsp.catcert.net > > > > DN: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis > Publics de Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, > OU=Jerarquia Entitats de Certificacio Catalanes, CN=EC-ACC > > Example cert: https://crt.sh/?q=356a5f4d994e9efa7caefc49176891 > 1d65ec25977465b610e2f29aa4472631c3 > > OCSP URI: http://ocsp.catcert.net > > > > DN: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis > Publics de Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, > OU=Jerarquia Entitats de Certificacio Catalanes, CN=EC-ACC > > Example cert: https://crt.sh/?q=20d082b1f53252e33cee5991be8650 > b414f11f3af16a14295c2fee0c9ab558c2 > > OCSP URI: http://ocsp.catcert.net > > > > DigiCert: > > > > Email sent to rev...@digicert.com <mailto:rev...@digicert.com> > > > > DN: C=CH, L=Zurich, O=ABB, CN=ABB Issuing CA 6 > > Example cert: https://crt.sh/?id=16963460 > > OCSP URI: http://aia.pki.abb.com/ocsp > > > > DN: CN=Cartão de Cidadão 001, OU=ECEstado, O=SCEE - Sistema de > Certificação Electrónica do Estado, C=PT > > Example cert: https://crt.sh/?id=12729446 > > OCSP URI: http://ocsp.root.cartaodecidadao.pt/publico/ocsp > > > > DN: C=PT, O=MULTICERT - Serviços de Certificação Electrónica S.A., > OU=Accredited Certification Authority, CN=MULTICERT Certification Authority > 002 > > Example cert: https://crt.sh/?id=117934576 > > OCSP URI: http://ocsp.multicert.com/ocsp > > OCSP URI: http://ocsp.multicert.com/procsp > > > > DN: C=PT, O=MULTICERT - Serviços de Certificação Electrónica S.A., > OU=Entidade de Certificação Credenciada, CN=MULTICERT - Entidade de > Certificação 001 > > Example cert: https://crt.sh/?id=11653177 > > OCSP URI: http://ocsp.multicert.com/ocsp > > > > DN: DC=com, DC=sanpaoloimi, DC=corp, CN=Intesa Sanpaolo CA Servizi Esterni > > Example cert: https://crt.sh/?id=10915119 > > OCSP URI: http://ocsp.intesasanpaolo.com > > > > DN: DC=com, DC=sanpaoloimi, DC=corp, CN=Intesa Sanpaolo CA Servizi Esterni > Enhanced > > Example cert: https://crt.sh/?id=119601976 > > OCSP URI: http://ocsp.intesasanpaolo.com > > > > DigiCert/Government of Portugal, Sistema de Certificação Electrónica do > Estado (SCEE) / Electronic Certification System of the State: > > > > DN: C=PT, O=SCEE, CN=ECRaizEstado > > Example cert: https://crt.sh/?id=8322256 > > OCSP URI: http://ocsp.ecee.gov.pt > > > > DigiCert/Wells Fargo Bank, N.A.: > > > > DN: Wells Fargo WellsSecure, OU=Wells Fargo Bank NA, CN=WellsSecure Public > Root Certification Authority 01 G2 > > Example cert: https://crt.sh/?id=2029493 > > OCSP URI: http://validator.wellsfargo.com/ > > > > DocuSign (OpenTrust/Keynectis) > > > > CCADB does not list an email address. Not CC'd. > > > > DN: C=FR, O=OpenTrust, OU=0002 478217318, CN=OpenTrust CA for AATL G1 > > Example cert: https://crt.sh/?q=8e409aaa332930d32acbab3b514c3e > 116b1b4d8cc6cf3dfc016a05f9c266f597 > > OCSP URI: http://get-ocsp.certificat.com/opentrustcaforaatlg1 > > > > Government of The Netherlands, PKIoverheid (Logius) > > > > Email sent to supp...@quovadisglobal.com <mailto:support@ > quovadisglobal.com> > > > > DN: C=NL, O=KPN Corporate Market BV, CN=KPN Corporate Market CSP > Organisatie CA - G2 > > Example cert: https://crt.sh/?q=f821a600af00d2fa23f569e00fdf23 > 79bc182920205a6b9b0276733cb2857c15 > > OCSP URI: http://ocsp2.managedpki.com > > > > IdenTrust > > > > CCADB does not list an email address. Not CC'd. > > > > DN: C=US, O=Digital Signature Trust, OU=DST ACES, CN=DST ACES CA X6 > > Example cert: https://crt.sh/?id=136954 > > OCSP URI: https://publicsector.ocsp.identrust.com (note this is https as > well) > > > > Izenpe S.A. > > > > CCADB does not list an email address. Not CC'd. > > > > DN: C=ES, O=IZENPE S.A., CN=Izenpe.com > > Example cert: https://crt.sh?q=b08c196a2ed1e84f9892db1b61219c > eb642882478f39b08719603d0735fa03d1 > > OCSP URI: http://ocsp.izenpe.com > > OCSP URI: http://ocsp.izenpe.com:8094 > > > > PROCERT > > > > CCADB does not list an email address. Not CC'd. However, this is already > under discussion (among other issues) in https://bugzilla.mozilla.org/ > show_bug.cgi?id=1391058 > > > > > > DN: emailAddress=conta...@procert.net.ve <mailto:conta...@procert.net.ve> > , L=Chacao, ST=Miranda, OU=Proveedor de Certificados PROCERT, O=Sistema > Nacional de Certificacion Electronica, C=VE, CN=PSCProcert > > Example cert: https://crt.sh/?id=109516168 > > OCSP URI: http://ura.procert.net.ve/ocsp > > > > SECOM Trust Systems Co. Ltd. > > > > Email sent to ca-supp...@ml.secom-sts.co.jp <mailto:ca-support@ml.secom- > sts.co.jp> > > > > DN: C=JP, L=Academe, O=National Institute of Informatics, CN=NII Open > Domain CA - G4 > > Example cert: https://crt.sh/?q=fc1c83a714148a269d787b4cd306b8 > f19165f1829b1b280c40315f03f85a9964 > > OCSP URI: http://niig4.ocsp.secomtrust.net > > > > DN: C=JP, O=CrossTrust, CN=CrossTrust DV CA3 > > Example cert: https://crt.sh/?q=525ae2e9fc4901507d30f7f381af76 > 5a81bd7276353651594be323205f5c93ef > > OCSP URI: http://dvca3.ocsp.crosstrust.net > > > > DN: C=JP, O=CrossTrust, CN=CrossTrust OV CA3 > > Example cert: https://crt.sh/?q=1857ba98deb0a30c2f6e5f06438142 > 0bae0a3bd1df2b6652a525a66b7030d505 > > OCSP URI: http://ovca3.ocsp.crosstrust.net > > > > DN: C=JP, O="FreeBit Co.,Ltd.", CN=YourNet SSL for business2 > > Example cert: https://crt.sh/?q=70a530cc67a67a1d1b010aad837060 > 9f407d2d91987b59e5f71e51921f58a346 > > OCSP URI: http://freebitov2.ocsp.secomtrust.net > > > > DN: C=JP, O="FreeBit Co.,Ltd.", CN=YourNet SSL for domain2 > > Example cert: https://crt.sh/?q=731421bd0429723c8bb562ea469dba > 90095e790ed8c22482b32cbcd26f7c4235 > > OCSP URI: http://freebitdv2.ocsp.secomtrust.net > > > > DN: C=JP, O=FUJIFILM, CN=FUJIFILM Fnet CA - S > > Example cert: https://crt.sh/?q=3e1b4f7a037a7c8d830329b02f91a3 > 7405bb369639bebeb777b2b150204b995b > > OCSP URI: http://fnetcas.ocsp.secomtrust.net > > > > DN: C=JP, O=Fuji Xerox, CN=Fuji Xerox Xnet CA - S > > Example cert: https://crt.sh/?q=78606d4c88f75e783d39139d664889 > a4910d7146ae3b1da7b24c81f3df909b39 > > OCSP URI: http://xnetcas.ocsp.secomtrust.net > > > > DN: C=JP, O=INTEC INC., CN=EINS/PKI Public Certification Authority V2 > > Example cert: https://crt.sh/?q=90f07f5ae79e83cf8c75f946df031a > 165fa2553f3a3d04ae62368f81773a717f > > OCSP URI: http://intec.ocsp.secomtrust.net > > > > DN: C=JP, O=INTEC INC., CN=EINS/PKI Public Certification Authority V3 > > Example cert: https://crt.sh/?q=ad72b76954165daf1b9021c1fb2b9b > 648e978dc9862a525a88274ec1b7e9f61f > > OCSP URI: http://intec2.ocsp.secomtrust.net > > > > DN: C=JP, O="Japan Registry Services Co., Ltd.", CN=JPRS Domain Validation > Authority - G1 > > Example cert: https://crt.sh/?q=22a04b51e2be5e12726357431ee256 > 8d707515c1f3f094123a391acb540acebb > > OCSP URI: http://dv.ocsp.pubcert.jprs.jp > > > > DN: C=JP, O="Japan Registry Services Co., Ltd.", CN=JPRS Organization > Validation Authority - G1 > > Example cert: https://crt.sh/?q=30748bde0a6fc2802e638511516745 > 141f95c08b8bdf44e69bfb96b0ff2d7ad2 > > OCSP URI: http://ov.ocsp.pubcert.jprs.jp > > > > DN: C=JP, O=KAGOYA JAPAN Inc., CN=KAGOYA JAPAN Certification Authority > > Example cert: https://crt.sh/?q=5d2c95d1995e2dbce6f6db38eee7fb > e5782965b3e24cec3c483761a4b09cf1a2 > > OCSP URI: http://kagoya.ocsp.secomtrust.net > > > > DN: C=JP, O=KDDI Web Communications Inc., CN=KDDI Web Communications > Certification Authority > > Example cert: https://crt.sh/?q=0edc6f278d94a6a0c58f39169ba369 > b3e0273813bdad4c43e4a525c73ff9ed66 > > OCSP URI: http://kddiweb.ocsp.secomtrust.net > > > > DN: C=JP, O="Nijimo, Inc.", CN=FujiSSL Public Certification Authority - G1 > > Example cert: https://crt.sh/?q=460d994d73ed6b1db484dac0d525fc > b3fbfdd2a0982183788c917c4b1d03d839 > > OCSP URI: http://nijimo.ocsp.secomtrust.net > > > > DN: C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1 > > Example cert: https://crt.sh/?q=c415cebfa3fc2ef3c74092b84265ba > d64c3fc9994c91177965667d7abee90588 > > OCSP URI: http://scrootca1.ocsp.secomtrust.net > > > > DN: C=JP, O="SECOM Trust Systems CO.,LTD.", CN=SECOM Passport for Web EV > 2.0 CA > > Example cert: https://crt.sh/?q=9cf126826bb66aa8b40cc33ca6410e > 789982373342218d4fd8d6da7d71a88914 > > OCSP URI: http://ev2.ocsp.secomtrust.net > > > > DN: C=JP, O="SECOM Trust Systems CO.,LTD.", CN=SECOM Passport for Web EV CA > > Example cert: https://crt.sh/?q=92ad0dd7ae67012cb96b33a96d2420 > 7f883af033d587deab402c70644d98e5be > > OCSP URI: http://ev.ocsp.secomtrust.net > > > > DN: C=JP, O="SECOM Trust Systems CO.,LTD.", CN=SECOM Passport for Web MH CA > > Example cert: https://crt.sh/?q=06ea91549c4c2d7aaf1b8c4b7c13ca > 25dc9456b2c187900b7c196a52561d08c0 > > OCSP URI: http://mh.ocsp.secomtrust.net > > > > DN: C=JP, O="SECOM Trust Systems CO.,LTD.", CN=SECOM Passport for Web SR > 3.0 CA > > Example cert: https://crt.sh/?q=625ee6aaca95caf9d8b130bc0ce190 > 3286e90ccf32d014b1410e0fc8ad9a34c2 > > OCSP URI: http://sr30.ocsp.secomtrust.net > > > > DN: C=JP, O="SECOM Trust Systems CO.,LTD.", OU=Security Communication EV > RootCA1 > > Example cert: https://crt.sh/?q=cbe221580a9800b7e4608d21f7d59e > 539a64d5c3996c722cf2cde908aa89d4ba > > OCSP URI: http://evroot.ocsp.secomtrust.net > > > > DN: C=JP, O="SECOM Trust Systems CO.,LTD.", OU=Security Communication > RootCA2 > > Example cert: https://crt.sh/?q=7cf75f006ccff8da30d6ea2a2f7c50 > d0447aa2513ff4a4a37bf292470bba8c85 > > OCSP URI: http://scrootca2.ocsp.secomtrust.net > > > > DN: C=JP, O=XiPS, CN=XiPS CA2 > > Example cert: https://crt.sh/?q=ae7a6dcb4ead3fae08aa340576595b > d02261c2e002f016a83374b3a70446cd06 > > OCSP URI: http://xips2.ocsp.secomtrust.net > > > > Symantec / GeoTrust > > > > CCADB does not list an email address. Not CC'd. > > > > DN: C=IT, O=UniCredit S.p.A., CN=UniCredit Subordinate External > > Example cert: https://crt.sh/?q=049462100743d2bcb10780e7c4eb2c > e1197a3f8bea7fad5ef9141f008eb1e6ca > > OCSP URI: http://ocsp.unicredit.eu/ocsp > > > > Visa > > > > Email sent to pkipol...@visa.com <mailto:pkipol...@visa.com> > > > > DN: C=US, O=VISA, OU=Visa International Service Association, CN=Visa > eCommerce Issuing CA > > Example cert: https://crt.sh/?id=53550125 > > OCSP URI: http://ocsp.visa.com/ocsp > > > > -Paul > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy