在 2019年4月11日星期四 UTC+8上午7:41:33,Nick Lamb写道: > (Resending after I typo'd the ML address) > > At the risk of further embarrassing myself in the same week, while > working further on mimicking Firefox trust decisions I found this > pre-certificate for Arabtec Holding PJSC: > > https://crt.sh/?id=926433948 > > Now there's nothing especially strange about this certificate, except > that its RSA public key is shared with several other certificates > > https://crt.sh/?spkisha256=8bb593a93be1d0e8a822bb887c547890c3e706aad2dab76254f97fb36b82fc26 > > ... such as the DigiCert Global Root G2: > > https://crt.sh/?caid=5885 > > > I would like to understand what happened here. Maybe I have once again > made a terrible mistake, but if not surely this means either that the > Issuing authority was fooled into issuing for a key the subscriber > doesn't actually have or worse, this Arabtec Holding outfit has the > private keys for DigiCert's Global Root G2 > > Nick.
I also found some other certificates have the same situations and same domain name: https://crt.sh/?ski=e8727721a7e63945d10041d9bef301c11eaa63b1 There are serveral certificates have same public keys and notBefore. All of them were issued by DigiCert SHA2 Secure Server CA. There certificates have different domain names and organizations. https://crt.sh/?id=907553401 https://crt.sh/?id=884275649 https://crt.sh/?id=924345151 Mirro _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy