Re: Certificate with invalid dnsName issued from Baltimore intermediate

[Nick Lamb via dev-security-policy]

On Sunday, 23 July 2017 20:12:18 UTC+1, Charles Reiss  wrote:
> This CA also issued a recent certificate for the unqualified dNSName 
> 'webinterfacestrong': https://crt.sh/?id=177606495

Another name that it shouldn't be possible to issue for, but this time one 
which can actually exist in local networks and therefore is put at risk by the 
existence of such bogus certificates.

>From the view on https://crt.sh/ it appears that this CA does not 
>automatically log all the certificates it issues which Mozilla will end up 
>trusting. It may have issued certificates we haven't seen yet.

DigiCert / Ben is that statement correct?

If we cannot today see the "whole iceberg" of certificates issued by this 
subCA, and we know it can and does issue problematic certificates I think it's 
a good candidate for distrust in OneCRL.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Certificate with invalid dnsName issued from Baltimore intermediate

[Charles Reiss via dev-security-policy]

On 07/17/2017 11:21 AM, Ben Wilson wrote:

Dear Jonathan,

Thank you for bringing this to our attention.  We have contacted Intesa 
Sanpaolo regarding this error and have asked them to correct it as soon as 
possible.
Sincerely yours,


This CA also issued a recent certificate for the unqualified dNSName 
'webinterfacestrong': https://crt.sh/?id=177606495

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy