On Fri, Oct 10, 2014 at 11:30:54PM +0000, Phil Pennock wrote: > On 2014-10-10 at 18:05 -0500, Lawrence K. Chen, P.Eng. wrote: > > These things are starting to appear everywhere.... > > > > I vaguely recall hearing of one group looking at getting our own > > intermediate > > CA. > > > > Searching came up with this: http://www.startssl.com/?app=5 > > Too late to start that now: CAs are shutting down those programs because > the browser maintainers have pushed back harder. Unless you're prepared > to go through all the steps that a public CA goes through, in terms of > process controls and other security practices, and you're prepared to > pay for auditors to audit how you run this side of things, a CA which > issues an intermediate cert to you is at risk of getting pulled from the > browser default trust stores. > > See, eg, https://wiki.mozilla.org/CA:CertificatePolicyV2.1 for how > things are firming up.
Not to keep beating a dead horse, but here's a related thing that puzzles me. I wonder if anyone else gets a different result. I've got 2 very different certs claiming to be the Google Internet Authority G2. Same subject, same auth key ID, same subject key id, same public key. Different certs. Huh? I'm sure if there's a simple explanation someone here knows it. (Data follows sig) TIA, -- Charles Polisher ----------------------------------------------- 1. Cert downloaded from https://pki.google.com/ ----------------------------------------------- Subject: C=US, O=Google Inc, CN=Google Internet Authority G2 X509v3 Authority Key Identifier: keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E X509v3 Subject Key Identifier: 4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F Public-Key: (2048 bit) Modulus: 00:9c:2a:04:77:5c:d8:50:91:3a:06:a3:82:e0:d8: 50:48:bc:89:3f:f1:19:70:1a:88:46:7e:e0:8f:c5: f1:89:ce:21:ee:5a:fe:61:0d:b7:32:44:89:a0:74: 0b:53:4f:55:a4:ce:82:62:95:ee:eb:59:5f:c6:e1: 05:80:12:c4:5e:94:3f:bc:5b:48:38:f4:53:f7:24: e6:fb:91:e9:15:c4:cf:f4:53:0d:f4:4a:fc:9f:54: de:7d:be:a0:6b:6f:87:c0:d0:50:1f:28:30:03:40: da:08:73:51:6c:7f:ff:3a:3c:a7:37:06:8e:bd:4b: 11:04:eb:7d:24:de:e6:f9:fc:31:71:fb:94:d5:60: f3:2e:4a:af:42:d2:cb:ea:c4:6a:1a:b2:cc:53:dd: 15:4b:8b:1f:c8:19:61:1f:cd:9d:a8:3e:63:2b:84: 35:69:65:84:c8:19:c5:46:22:f8:53:95:be:e3:80: 4a:10:c6:2a:ec:ba:97:20:11:c7:39:99:10:04:a0: f0:61:7a:95:25:8c:4e:52:75:e2:b6:ed:08:ca:14: fc:ce:22:6a:b3:4e:cf:46:03:97:97:03:7e:c0:b1: de:7b:af:45:33:cf:ba:3e:71:b7:de:f4:25:25:c2: 0d:35:89:9d:9d:fb:0e:11:79:89:1e:37:c5:af:8e: 72:69 -----BEGIN CERTIFICATE----- MIID8DCCAtigAwIBAgIDAjp2MA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7 qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMBcGA1UdIAQQ MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQUFAAOCAQEAJ4zP6cc7vsBv6JaE +5xcXZDkd9uLMmCbZdiFJrW6nx7eZE4fxsggWwmfq6ngCTRFomUlNz1/Wm8gzPn6 8R2PEAwCOsTJAXaWvpv5Fdg50cUDR3a4iowx1mDV5I/b+jzG1Zgo+ByPF5E0y8tS etH7OiDk4Yax2BgPvtaHZI3FCiVCUe+yOLjgHdDh/Ob0r0a678C/xbQF9ZR1DP6i vgK66oZb+TWzZvXFjYWhGiN3GhkXVBNgnwvhtJwoKvmuAjRtJZOcgqgXe/GFsNMP WOH7sf6coaPo/ck/9Ndx3L2MpBngISMjVROPpBYCCX65r+7bU2S9cS+5Oc4wt7S8 VOBHBw== -----END CERTIFICATE----- ----------------------------------------------- 2. Cert offered up by https://drive.google.com/ ----------------------------------------------- Subject: C=US, O=Google Inc, CN=Google Internet Authority G2 X509v3 Authority Key Identifier: keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E X509v3 Subject Key Identifier: 4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F Public-Key: (2048 bit) Modulus: 00:9c:2a:04:77:5c:d8:50:91:3a:06:a3:82:e0:d8: 50:48:bc:89:3f:f1:19:70:1a:88:46:7e:e0:8f:c5: f1:89:ce:21:ee:5a:fe:61:0d:b7:32:44:89:a0:74: 0b:53:4f:55:a4:ce:82:62:95:ee:eb:59:5f:c6:e1: 05:80:12:c4:5e:94:3f:bc:5b:48:38:f4:53:f7:24: e6:fb:91:e9:15:c4:cf:f4:53:0d:f4:4a:fc:9f:54: de:7d:be:a0:6b:6f:87:c0:d0:50:1f:28:30:03:40: da:08:73:51:6c:7f:ff:3a:3c:a7:37:06:8e:bd:4b: 11:04:eb:7d:24:de:e6:f9:fc:31:71:fb:94:d5:60: f3:2e:4a:af:42:d2:cb:ea:c4:6a:1a:b2:cc:53:dd: 15:4b:8b:1f:c8:19:61:1f:cd:9d:a8:3e:63:2b:84: 35:69:65:84:c8:19:c5:46:22:f8:53:95:be:e3:80: 4a:10:c6:2a:ec:ba:97:20:11:c7:39:99:10:04:a0: f0:61:7a:95:25:8c:4e:52:75:e2:b6:ed:08:ca:14: fc:ce:22:6a:b3:4e:cf:46:03:97:97:03:7e:c0:b1: de:7b:af:45:33:cf:ba:3e:71:b7:de:f4:25:25:c2: 0d:35:89:9d:9d:fb:0e:11:79:89:1e:37:c5:af:8e: 72:69 -----BEGIN CERTIFICATE----- MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7 qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY /iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/ zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6 yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx -----END CERTIFICATE----- _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
