Hi, I searched crt.sh for valid certificates vulnerable to the 2008 Debian weak key bug. (Only 2048 bit.)
Overall I found 5 unexpired certificates. Two certificates by Certum (reported on Saturday, Certum told me "We have taken necessary steps to clarify this situation as soon as possible", they're not revoked yet): https://crt.sh/?id=308392091&opt=ocsp https://crt.sh/?id=6888863&opt=ocsp Wosign: https://crt.sh/?id=30347743 StartCom: https://crt.sh/?id=54187884 https://crt.sh/?id=307753186 As we all know these are no longer trusted by Mozilla, I reported them nevertheless. No reply yet. Old bugs never die, I recommend every CA adds a check for the Debian bug to their certificate issuance process. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy