Re: Certificate with invalid dnsName issued from Baltimore intermediate
On 07/17/2017 11:21 AM, Ben Wilson wrote: Dear Jonathan, Thank you for bringing this to our attention. We have contacted Intesa Sanpaolo regarding this error and have asked them to correct it as soon as possible. Sincerely yours, This CA also issued a recent certificate for the unqualified dNSName 'webinterfacestrong': https://crt.sh/?id=177606495 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Certificate with invalid dnsName
On 07/19/2017 06:03 PM, Tom wrote: Following that discovery, I've search for odd (invalid?) DNS names. Here is the list of certificated I've found, it may overlap some discovery already reported. If I'm correct, theses certificate are not revoked, not expired, and probably trusted by Mozilla (crt.sh issuer are marked trusted by Mozilla, but not all). Annotating these certs: Starting with *: I believe this cert is presently untrusted by Mozilla due to revocation of all paths to the Federal PKI: https://crt.sh/?id=7211484*eis.aetc.af.mil chains to StartCom (and all of these from StartCom are minor compared to StartCom's other problems): https://crt.sh/?id=10714112*g10.net-lab.net chains to Baltimore CyberTrust Root (DigiCert): https://crt.sh/?id=48682944*nuvolaitaliana.it chains to StartCom: https://crt.sh/?id=15736178*assets.blog.cn.net.ru https://crt.sh/?id=17295812*dev02.calendar42.com https://crt.sh/?id=15881220*dev.1septem.ru https://crt.sh/?id=15655700*assets.blog.cn.net.ru https://crt.sh/?id=17792808*quickbuild.raptorengineering.io Starting with -: chains to QuoVadis: https://crt.sh/?id=54285413 -d1-datacentre-12g-console-2.its.deakin.edu.au chains to StartCom: https://crt.sh/?id=78248795-1ccenter.777chao.com Multiple *.: chains to QuoVadis: https://crt.sh/?id=13299376*.*.victoria.ac.nz I believe this cert is presently trusted by Mozilla only via a technically constrained subCA: https://crt.sh/?id=44997156*.*.rnd.unicredit.it chains to Swisscom: https://crt.sh/?id=5982951*.*.int.swisscom.ch Internals TLD: chains to Baltimore CyberTrust Root (DigiCert): https://crt.sh/?id=33626750a1.verizon.test I believe this cert is presently untrusted by Mozilla due to revocation of the relevant subCA: https://crt.sh/?id=33123653DAC38997VPN2001A.trmk.corp chains to Certplus (DocuSign): https://crt.sh/?id=42475510naccez.us.areva.corp I believe these presently lack an unrevoked, unexpired trust path in Mozilla: https://crt.sh/?id=10621703collaboration.intra.airbusds.corp https://crt.sh/?id=48726306zdeasaotn01.dsmain.ds.corp ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Certificate with invalid dnsName
On 07/19/2017 06:03 PM, Tom wrote: Following that discovery, I've search for odd (invalid?) DNS names. Here is the list of certificated I've found, it may overlap some discovery already reported. If I'm correct, theses certificate are not revoked, not expired, and probably trusted by Mozilla (crt.sh issuer are marked trusted by Mozilla, but not all). [snip] Some additional problematic certs: chains to Swisscom: https://crt.sh/?id=175444569 wxadm.swissucc.local chains to CATCert, notBefore in 2017: https://crt.sh/?id=98706307 maritim4.mmaritim.local chains to PROCERT, notBefore in 2017: https://crt.sh/?id=175466182 fospuca.local chains to Baltimore Cybertrust Root (DigiCert): https://crt.sh/?id=12344381 lorweb.local chains to Baltimore Cybertrust Root (DigiCert), notBefore in 2017: https://crt.sh/?id=175469208 skbfep01.justica.local https://crt.sh/?id=175469209 energy.ctd and pt chains to QuoVadis, notBefore in 2017: https://crt.sh/?id=175466199 devsrv.pe.siemens.info-com (swapped -/.) chains to DocuSign, notBefore in 2017: https://crt.sh/?id=99149574 "www.immonotaireargus.com " (trailing space) ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: TunRootCA2 root inclusion request
On 07/19/2017 05:10 AM, Aaron Wu wrote: - Tunisian Server Certificate Authority - TunServerCA2 https://crt.sh/?id=79470561=cablint is a certificate for the internal name 'adv-mail.calladvance.local' issued by this CA with a notBefore of 2017. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: TunRootCA2 root inclusion request
On 07/19/17 05:10, Aaron Wu wrote: - Tunisian Server Certificate Authority - TunServerCA2 https://crt.sh/?id=21813439 is a certificate issued by this CA which has a domain name in the common name but only an email address in the SAN. (The certificate has TLS server/client usage EKUs.) https://crt.sh/?id=99182607 is a revoked certificate issued by this CA which has a domain name in the common name which does not match the domain name in the SAN, which is for a different TLD. (A new certificate with both names in SANs, https://crt.sh/?id=99462700 , has a notBefore which appears to have around the same timestamp as the revocation.) https://crt.sh/?id=15126121 is an expired certificate (notBefore March 2016; notAfter March 2017) issued by this CA which has a wildcard name in the common name while the SAN contains specific domain names that would be covered by the wildcard only. https://crt.sh/?id=10975511 is an expired certificate with a notBefore of Oct 2015 and notAfter of Oct 2016 issued by this CA with an iPAddress SAN of 127.0.0.1. (I believe that by 2014, the BRs prohibited issuing internal name certs with validity past November 2015.) ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Certificate with invalid dnsName issued from Baltimore intermediate
On 07/18/2017 11:57 AM, Hanno Böck wrote: More dotdot-certificates: [snip] via searching censys.io: https://crt.sh/?id=174803642 for *..syntaxafrica.com Issued by GoDaddy in 2016; expires later this year, but revoked (CRL timestamp says a few days after issuance) https://crt.sh/?id=38662560 for *usmc..afpimsstaging.mil Issued by U.S. Government in 2012; expired 2015 I also some old internal name certificates: https://crt.sh/?id=39441152 for autodiscover.eat...ltransport.local Issued by GoDaddy in 2012; expired 2015 https://crt.sh/?id=39333847 for autodiscover.jgexchange2.bellgibfamily.local Issued by GoDaddy in 2012; expired 2015 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy