On Tuesday, January 8, 2019 at 3:12:26 PM UTC-5, Wayne Thayer wrote: > Thanks Corey, Ryan, and Jonathan. > > In one of the bugs that Ryan created, the CA stated that it's not clear if > or when Mozilla requires revocation of these P-521 certificates. I believe > the answer is that we do not require revocation. Our policy (section 6) > explicitly requires CAs to abide by the BR revocation rules (section > 4.9.1.1), but these certificates do not meet any of those requirements. > > - Wayne > > On Tue, Jan 8, 2019 at 11:30 AM Jonathan Rudenberg via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > On Mon, Jan 7, 2019, at 21:26, Corey Bonnell via dev-security-policy wrote: > > > (Posting in a personal capacity as I am no longer employed by Trustwave) > > > > > > Mozilla Root Store Policy section 5.1 > > > ( > > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/) > > > > > prohibits the use of P-521 keys in root certificates included in the > > > Mozilla trust store, as well as in any certificates chaining to these > > > roots. This prohibition was made very clear in the discussion on this > > > list in 2017 at > > > > > https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/7O34-DmZeC8/fsKobHABAwAJ. > > > > > > > > Below is a list of unexpired, unrevoked certificates which contain P-521 > > > public keys (grouped by CA Owner and ordered by notBefore): > > > > I've created https://misissued.com/batch/43/ to track these. > > _______________________________________________ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy > >
I’d like to follow-up on this discussion with a list of another 63 unique, valid Sectigo-issued P-521 SPKI certificates that have been issued since I reported the first batch back in January. According to Sectigo [1], a patch was deployed on January 8th to prevent issuance of certificates with P-521 SPKIs, but there must have been a problem with the deployment or a regression was introduced, as all these certificates have a notBefore date of several weeks after January 8th: Sectigo "crt.sh URL(s)", notBefore, notAfter, "subject CN", "issuer CN" "https://crt.sh/?id=1153301077 (precert); https://crt.sh/?id=1153303683 (final)", 2019-01-29, 2020-01-29, *.012919020120149.vfidev.com, "COMODO ECC Organization Validation Secure Server CA" "https://crt.sh/?id=1159765604 (precert); https://crt.sh/?id=1159768069 (final)", 2019-01-30, 2020-01-30, vpn.catest.net, "Gandi Standard SSL CA 2" "https://crt.sh/?id=1166099013 (precert); https://crt.sh/?id=1166156646 (final)", 2019-02-03, 2021-02-02, sso.aust.ae, "GlobeSSL DV Certification Authority 2" "https://crt.sh/?id=1172672983 (precert); https://crt.sh/?id=1172675064 (final)", 2019-02-05, 2020-02-05, *.020519020223240.vfidev.com, "COMODO ECC Organization Validation Secure Server CA" "https://crt.sh/?id=1173393341 (precert); https://crt.sh/?id=1173396153 (final)", 2019-02-05, 2020-02-05, *.020519060222541.vfidev.com, "COMODO ECC Organization Validation Secure Server CA" "https://crt.sh/?id=1194624767 (precert); https://crt.sh/?id=1194625305 (final)", 2019-02-11, 2021-02-10, im-ec.angelo.edu, "InCommon ECC Server CA" "https://crt.sh/?id=1194625403 (precert); https://crt.sh/?id=1194625563 (final)", 2019-02-11, 2021-02-10, im-ec.angelo.edu, "InCommon ECC Server CA" "https://crt.sh/?id=1194625375 (precert); https://crt.sh/?id=1194625597 (final)", 2019-02-11, 2021-02-10, im-ec.angelo.edu, "InCommon ECC Server CA" "https://crt.sh/?id=1203447331 (precert); https://crt.sh/?id=1203448393 (final)", 2019-02-14, 2020-02-14, *.021419180252278.vfidev.com, "COMODO ECC Organization Validation Secure Server CA" "https://crt.sh/?id=1203465736 (precert); https://crt.sh/?id=1203465915 (final)", 2019-02-14, 2020-02-14, *.021419180252278.vfidev.com, "COMODO ECC Organization Validation Secure Server CA" "https://crt.sh/?id=1221647998 (precert); https://crt.sh/?id=1221648175 (final)", 2019-02-21, 2020-02-21, *.022119020213378.vfidev.com, "COMODO ECC Organization Validation Secure Server CA" "https://crt.sh/?id=1221642108 (precert); https://crt.sh/?id=1221644541 (final)", 2019-02-21, 2020-02-21, *.022119020213378.vfidev.com, "COMODO ECC Organization Validation Secure Server CA" "https://crt.sh/?id=1232911110 (precert); https://crt.sh/?id=1232911335 (final)", 2019-02-26, 2020-02-26, test-september.merck.com, "COMODO ECC Organization Validation Secure Server CA" "https://crt.sh/?id=1235318031 (precert); https://crt.sh/?id=1235318034 (final)", 2019-02-27, 2020-02-27, *.022719020237488.vfidev.com, "COMODO ECC Organization Validation Secure Server CA" "https://crt.sh/?id=1260274146 (precert); https://crt.sh/?id=1260274133 (final)", 2019-03-07, 2020-03-06, *.030719020323283.vfidev.com, "COMODO ECC Organization Validation Secure Server CA" "https://crt.sh/?id=1263239685 (precert); https://crt.sh/?id=1263240592 (final)", 2019-03-08, 2020-03-07, *.030819020353473.vfidev.com, "COMODO ECC Organization Validation Secure Server CA" "https://crt.sh/?id=1282920509 (precert); https://crt.sh/?id=1282921013 (final)", 2019-03-13, 2020-03-12, kungfood.pl, "DOMENY SSL DV Certification Authority" "https://crt.sh/?id=1283274080 (precert); https://crt.sh/?id=1283274141 (final)", 2019-03-13, 2020-03-12, is-winsec1-dev.uoregon.edu, "InCommon RSA Server CA" "https://crt.sh/?id=1283225423 (precert); https://crt.sh/?id=1283226032 (final)", 2019-03-13, 2020-03-12, is-winsec.uoregon.edu, "InCommon RSA Server CA" "https://crt.sh/?id=1328435939 (precert); https://crt.sh/?id=1328436096 (final)", 2019-03-29, 2021-03-28, oxfcucp01-ec-ms.miamioh.edu, "InCommon ECC Server CA" "https://crt.sh/?id=1335173111 (precert); https://crt.sh/?id=1335173379 (final)", 2019-03-31, 2021-02-28, ealadel.com, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1335439808 (precert); https://crt.sh/?id=1335523316 (final)", 2019-03-31, 2021-02-28, ealadel.com, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1339652607 (precert); https://crt.sh/?id=1339659513 (final)", 2019-04-02, 2020-04-01, *.040219010429751.vfidev.com, "COMODO ECC Organization Validation Secure Server CA" "https://crt.sh/?id=1341579333 (precert); https://crt.sh/?id=1341579351 (final)", 2019-04-02, 2021-04-01, oxfcucp01-ec-ms.miamioh.edu, "InCommon ECC Server CA" "https://crt.sh/?id=1367361455 (precert); https://crt.sh/?id=1367361572 (final)", 2019-04-09, 2021-04-10, *.lifepittsburgh.org, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1372163624 (precert); https://crt.sh/?id=1372164012 (final)", 2019-04-10, 2020-11-20, biokeks.com, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1381130450 (precert); https://crt.sh/?id=1381130526 (final)", 2019-04-13, 2021-04-12, www.worselis.com, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1381124399 (precert); https://crt.sh/?id=1381123749 (final)", 2019-04-13, 2021-04-12, www.worselis.com, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1388867840 (precert); https://crt.sh/?id=1388867614 (final)", 2019-04-16, 2019-10-02, tombu.biz, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1388887321 (precert); https://crt.sh/?id=1388887663 (final)", 2019-04-16, 2019-10-02, tombu.biz, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1393506782 (precert); https://crt.sh/?id=1393508121 (final)", 2019-04-17, 2020-06-15, *.mgid.com, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1410457003 (precert); https://crt.sh/?id=1410457527 (final)", 2019-04-22, 2020-04-21, forlorn.uoregon.edu, "InCommon RSA Server CA" "https://crt.sh/?id=1414114703 (precert); https://crt.sh/?id=1414115661 (final)", 2019-04-24, 2021-04-23, firewall.chickenfriedbacon.com, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1434701068 (precert); https://crt.sh/?id=1434701046 (final)", 2019-05-01, 2021-05-15, *.kerner.fr, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1436840840 (precert); https://crt.sh/?id=1436852440 (final)", 2019-05-02, 2021-05-01, mon1.int.gns.ovh.net, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1436072362 (precert); https://crt.sh/?id=1436074225 (final)", 2019-05-02, 2020-05-01, is-wec2.ad.uoregon.edu, "InCommon RSA Server CA" "https://crt.sh/?id=1437643846 (precert); https://crt.sh/?id=1437641121 (final)", 2019-05-02, 2021-05-01, sslvpn.rosenhotels.com, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1437648867 (precert); https://crt.sh/?id=1437648968 (final)", 2019-05-02, 2020-05-01, is-wec2.ad.uoregon.edu, "InCommon RSA Server CA" "https://crt.sh/?id=1439807169 (precert); https://crt.sh/?id=1439808054 (final)", 2019-05-03, 2019-08-01, cfwww.ausunny.org, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1444671300 (precert); https://crt.sh/?id=1444671337 (final)", 2019-05-06, 2020-05-05, is-camper.ad.uoregon.edu, "InCommon RSA Server CA" "https://crt.sh/?id=1459393199 (precert); https://crt.sh/?id=1459393360 (final)", 2019-05-11, 2020-05-10, cryptostorm.ch, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1482259813 (precert); https://crt.sh/?id=1482259871 (final)", 2019-05-17, 2020-05-16, is-obgw-test1.ad.uoregon.edu, "InCommon RSA Server CA" "https://crt.sh/?id=1502005938 (precert); https://crt.sh/?id=1502005820 (final)", 2019-05-23, 2020-08-14, testwebservice.performancedirect.co.uk, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1505411256 (precert); https://crt.sh/?id=1505411385 (final)", 2019-05-24, 2021-06-07, webdev.netmanagement.net, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1519285579 (precert); https://crt.sh/?id=1519285637 (final)", 2019-05-28, 2020-07-30, shop.pier28.com, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1522057120 (precert); https://crt.sh/?id=1522056056 (final)", 2019-05-29, 2021-05-28, caojiefeng.com, "TrustOcean SSL CA - ECC - 2018" "https://crt.sh/?id=1541037665 (precert); https://crt.sh/?id=1541037327 (final)", 2019-06-04, 2021-06-03, bi44.business.unc.edu, "InCommon ECC Server CA" "https://crt.sh/?id=1552447969 (precert); https://crt.sh/?id=1552449107 (final)", 2019-06-07, 2020-06-06, testing.ecc.p521.fisglobal.com, "Sectigo ECC Organization Validation Secure Server CA" "https://crt.sh/?id=1565405135 (precert); https://crt.sh/?id=1565406167 (final)", 2019-06-11, 2019-11-05, readsingcry.com, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1572486672 (precert); https://crt.sh/?id=1572486913 (final)", 2019-06-13, 2021-06-12, sga.vc, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1575955817 (precert); https://crt.sh/?id=1575955838 (final)", 2019-06-14, 2020-06-13, auth0-emea.com, "GoGetSSL ECC DV CA" "https://crt.sh/?id=1584146347 (precert); https://crt.sh/?id=1584146464 (final)", 2019-06-16, 2021-06-15, ldaps.azure.goodeast.com, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1592686468 (precert); https://crt.sh/?id=1592686459 (final)", 2019-06-19, 2019-09-17, multi-vpn.biz, "GoGetSSL ECC DV CA" "https://crt.sh/?id=1592751184 (precert); https://crt.sh/?id=1592751748 (final)", 2019-06-19, 2019-09-17, multi-vpn.biz, "GoGetSSL ECC DV CA" "https://crt.sh/?id=1595507138 (precert); https://crt.sh/?id=1595507410 (final)", 2019-06-20, 2020-06-20, staging.fundermaps.com, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1599162443 (precert); https://crt.sh/?id=1599162930 (final)", 2019-06-21, 2020-06-21, braynz.neuromarketingonline.nl, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1612604628 (precert); https://crt.sh/?id=1612604678 (final)", 2019-06-25, 2020-06-24, rbl.net, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1611769555 (precert); https://crt.sh/?id=1611769818 (final)", 2019-06-25, 2021-06-24, *.iris.darktrace.com, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1617907696 (precert); https://crt.sh/?id=1618009379 (final)", 2019-06-28, 2021-06-27, ngv01.acma.gov.au, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1632091441 (precert); https://crt.sh/?id=1632092971 (final)", 2019-07-02, 2020-07-01, *.070219010722711.vfidev.com, "COMODO ECC Organization Validation Secure Server CA" "https://crt.sh/?id=1645553653 (precert); https://crt.sh/?id=1645553835 (final)", 2019-07-06, 2020-07-05, *.xtcare.net, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1652685175 (precert); https://crt.sh/?id=1652685481 (final)", 2019-07-09, 2020-10-06, www.autohaus-roell.de, "Sectigo ECC Domain Validation Secure Server CA" "https://crt.sh/?id=1675123495 (precert); https://crt.sh/?id=1675123804 (final)", 2019-07-16, 2020-07-15, is-obgw-prod1.ad.uoregon.edu, "InCommon RSA Server CA" Thanks, Corey [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1518553#c3 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy