WoSign and StartCom are untrusted, but Certum is still trusted, right? On Mon, Feb 5, 2018 at 11:08 AM, Hanno Böck via dev-security-policy < [email protected]> wrote:
> Hi, > > I searched crt.sh for valid certificates vulnerable to the 2008 Debian > weak key bug. (Only 2048 bit.) > > Overall I found 5 unexpired certificates. > > Two certificates by Certum (reported on Saturday, Certum told me "We > have taken necessary steps to clarify this situation as soon as > possible", they're not revoked yet): > https://crt.sh/?id=308392091&opt=ocsp > https://crt.sh/?id=6888863&opt=ocsp > > Wosign: > https://crt.sh/?id=30347743 > StartCom: > https://crt.sh/?id=54187884 > https://crt.sh/?id=307753186 > > As we all know these are no longer trusted by Mozilla, I reported them > nevertheless. No reply yet. > > Old bugs never die, I recommend every CA adds a check for the Debian > bug to their certificate issuance process. > > -- > Hanno Böck > https://hboeck.de/ > > mail/jabber: [email protected] > GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
