Thank you, Youfu, for bringing this to the community’s attention. This CA has never been part of the Mozilla Root Program, and their certificates have never been trusted by Firefox. However, we are happy to facilitate continued discussion on dev-security-policy as it is clearly relevant to the community as a whole.
Whilst we recognize Fina CA is not part of our root program, we also agree that it would be extremely beneficial for Fina to file an incident report in accordance with this guidance from the CCADB: https://www.ccadb.org/cas/incident-report. Ben On Wed, Sep 3, 2025 at 9:32 AM Youfu Zhang <[email protected]> wrote: > Hello, > > This is a public report of several certificates issued by Fina RDC > 2020 that appear to be mis-issued. These certificates contain the > Subject Alternative Name (SAN) iPAddress:1.1.1.1. > > The IP address 1.1.1.1 is a well-known public DNS resolver operated by > Cloudflare, in partnership with APNIC. It is highly unlikely that the > certificate subscribers demonstrated control over this IP address as > required by the CA/Browser Forum Baseline Requirements. > > Three of the discovered certificates are still valid as of today, > September 3, 2025. > > Mis-issued Certificates: > > 1. Serial Number: d3:16:7e:fd:77:ca:d7:59:00:00:00:00:5f:c7:c6:72 > Subject CN: test1.hr > SAN: > - dNSName:test1.hr > - dNSName:test12.hr > - iPAddress:1.1.1.1 > crt.sh: https://crt.sh/?id=18603461241 > Censys: > https://platform.censys.io/certificates/8abd30c3c154a4be2a1f82e2c0e96a7d4328320f743cc629778455a76632ceee > > 2. Serial Number: f9:72:55:2d:6a:c0:88:28:00:00:00:00:5f:c8:6f:4d > Subject CN: test1.hr > SAN: > - dNSName:test1.hr > - dNSName:test11.hr > - iPAddress:1.1.1.1 > crt.sh: https://crt.sh/?id=19749721864 > Censys: > https://platform.censys.io/certificates/379d358af1a38f8b06866ea3342b15909ec566b5cd2404fda34fecfe07643abf > > 3. Serial Number: be:b8:ef:1b:1c:6c:ff:53:00:00:00:00:5f:c8:cd:e5 > Subject CN: test11.hr > SAN: > - dNSName:test11.hr > - dNSName:test12.hr > - iPAddress:1.1.1.1 > crt.sh: https://crt.sh/?id=20582951233 > Censys: > https://platform.censys.io/certificates/d42b028468e73795365102058cbcd350ad0a0b9ca7073c5362a570c5ec208a92 > > Relevant Certificate Authority: > > These precertificates were issued by Fina RDC 2020 > (https://crt.sh/?caid=201916), which is a subordinate CA of Fina Root > CA (https://crt.sh/?caid=100631). > > Fina Root CA is trusted by The Microsoft Root Certificate Program. > > Apparent Violations: > > This issuance appears to violate both the CA/Browser Forum's > requirements and Fina's own stated policies. > > 1. CA/Browser Forum TLS Baseline Requirements (v2.1.7), Section 7.1.2.7.12: > > The entry MUST contain the IPv4 or IPv6 address that the CA has > confirmed the Applicant controls or has been granted the right to use > through a method specified in Section 3.2.2.5. > > 2. Fina RDC 2020 Certificate Policy (v1.12), Section 3.2.2.4: > > For each IP Address listed in certificate application Fina shall > verify, as of the date the certificate was issued, the right to use > and control the IP Address by the Legal person submitting the > certificate application. > This verification shall be done in accordance with the methods > specified in the CA/Browser Forum BRG document. > > I request that Fina investigate this matter, revoke any active > non-compliant certificates, and provide a public incident report in a > timely manner. > > --- > > Best regards, > Youfu Zhang > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEKhA2zDcVuKi1KVnMOwgjyQ2T9rv7sCFCYG0gwozLU9f7p4vQ%40mail.gmail.com > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaaJHMvabX-kpn0q-kRfs6e8cDxkPw828zum-CMpr1oYHA%40mail.gmail.com.
