On the Fediverse, Dr. Christopher Kunz <https://chaos.social/@christopherkunz/115144844256513679> has noticed two additional issues:
1. A presumably-misissued certificate for 2.2.2.2, an IP address assigned to Oracle according to WHOIS: https://crt.sh/?sha256=789DE404B22E8737C22694B72CBDDC23F8C1EE4BF1DF3FAEBACF5C3E5509288B 2. The certificates involved in this incident have been revoked with the reason code cessationOfOperation. Per BR 4.9.1.1 (5), the reason should be superseded. Regards, Andrew On Wed, 3 Sep 2025 23:31:58 +0800 Youfu Zhang <[email protected]> wrote: > Hello, > > This is a public report of several certificates issued by Fina RDC > 2020 that appear to be mis-issued. These certificates contain the > Subject Alternative Name (SAN) iPAddress:1.1.1.1. > > The IP address 1.1.1.1 is a well-known public DNS resolver operated by > Cloudflare, in partnership with APNIC. It is highly unlikely that the > certificate subscribers demonstrated control over this IP address as > required by the CA/Browser Forum Baseline Requirements. > > Three of the discovered certificates are still valid as of today, > September 3, 2025. > > Mis-issued Certificates: > > 1. Serial Number: d3:16:7e:fd:77:ca:d7:59:00:00:00:00:5f:c7:c6:72 > Subject CN: test1.hr > SAN: > - dNSName:test1.hr > - dNSName:test12.hr > - iPAddress:1.1.1.1 > crt.sh: https://crt.sh/?id=18603461241 > Censys: > https://platform.censys.io/certificates/8abd30c3c154a4be2a1f82e2c0e96a7d4328320f743cc629778455a76632ceee > > 2. Serial Number: f9:72:55:2d:6a:c0:88:28:00:00:00:00:5f:c8:6f:4d > Subject CN: test1.hr > SAN: > - dNSName:test1.hr > - dNSName:test11.hr > - iPAddress:1.1.1.1 > crt.sh: https://crt.sh/?id=19749721864 > Censys: > https://platform.censys.io/certificates/379d358af1a38f8b06866ea3342b15909ec566b5cd2404fda34fecfe07643abf > > 3. Serial Number: be:b8:ef:1b:1c:6c:ff:53:00:00:00:00:5f:c8:cd:e5 > Subject CN: test11.hr > SAN: > - dNSName:test11.hr > - dNSName:test12.hr > - iPAddress:1.1.1.1 > crt.sh: https://crt.sh/?id=20582951233 > Censys: > https://platform.censys.io/certificates/d42b028468e73795365102058cbcd350ad0a0b9ca7073c5362a570c5ec208a92 > > Relevant Certificate Authority: > > These precertificates were issued by Fina RDC 2020 > (https://crt.sh/?caid=201916), which is a subordinate CA of Fina Root > CA (https://crt.sh/?caid=100631). > > Fina Root CA is trusted by The Microsoft Root Certificate Program. > > Apparent Violations: > > This issuance appears to violate both the CA/Browser Forum's > requirements and Fina's own stated policies. > > 1. CA/Browser Forum TLS Baseline Requirements (v2.1.7), Section > 7.1.2.7.12: > > The entry MUST contain the IPv4 or IPv6 address that the CA has > confirmed the Applicant controls or has been granted the right to use > through a method specified in Section 3.2.2.5. > > 2. Fina RDC 2020 Certificate Policy (v1.12), Section 3.2.2.4: > > For each IP Address listed in certificate application Fina shall > verify, as of the date the certificate was issued, the right to use > and control the IP Address by the Legal person submitting the > certificate application. > This verification shall be done in accordance with the methods > specified in the CA/Browser Forum BRG document. > > I request that Fina investigate this matter, revoke any active > non-compliant certificates, and provide a public incident report in a > timely manner. > > --- > > Best regards, > Youfu Zhang > > -- > You received this message because you are subscribed to the Google > Groups "[email protected]" group. To unsubscribe from > this group and stop receiving emails from it, send an email to > [email protected]. To view this discussion > visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEKhA2zDcVuKi1KVnMOwgjyQ2T9rv7sCFCYG0gwozLU9f7p4vQ%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20250904173858.c0076467f4af410979bccbaf%40andrewayer.name.
