Re: AIA CA Issuer field pointing to PEM encoded certs
Dear Hanno, Many thanks for the report. This has now been fixed for Multicert and an incident report was filed at Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1637093 Best regards, NP segunda-feira, 11 de Maio de 2020 às 17:09:08 UTC+1, Hanno Böck escreveu: > Hi, > > As I mentioned in my previous mail I found some instances of CAs > pointing to PEM encoded certificates in their AIA fields, while they > should be DER encoded. > > I found such instances for 4 CAs, I'll list them with one example cert > and the URL of the referenced intermediate. > > Entrust/Affirmtrust: > https://crt.sh/?id=2747041731 > http://aia.affirmtrust.com/aftov1ca.crt > > Telia: > https://crt.sh/?id=2793617446 > http://repository.trust.teliasonera.com/teliasoneraservercav2.cer > > Multicert: > https://crt.sh/?id=2369674005 > http://pki.multicert.com/cert/SSL_CA01.cer > > TWCA: > https://crt.sh/?id=1238438742 > http://sslserver.twca.com.tw/cacert/secure_sha2_2014.crt > > I have informed all 4 CAs via their problem reporting mechanism from > CCADB. > > -- > Hanno Böck > https://hboeck.de/ ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: AIA CA Issuer field pointing to PEM encoded certs
Update: All 4 CAs have corrected the certs and are now serving DER encoded intermediates at the URLs. -- Hanno Böck https://hboeck.de/ ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
AIA CA Issuer field pointing to PEM encoded certs
Hi, As I mentioned in my previous mail I found some instances of CAs pointing to PEM encoded certificates in their AIA fields, while they should be DER encoded. I found such instances for 4 CAs, I'll list them with one example cert and the URL of the referenced intermediate. Entrust/Affirmtrust: https://crt.sh/?id=2747041731 http://aia.affirmtrust.com/aftov1ca.crt Telia: https://crt.sh/?id=2793617446 http://repository.trust.teliasonera.com/teliasoneraservercav2.cer Multicert: https://crt.sh/?id=2369674005 http://pki.multicert.com/cert/SSL_CA01.cer TWCA: https://crt.sh/?id=1238438742 http://sslserver.twca.com.tw/cacert/secure_sha2_2014.crt I have informed all 4 CAs via their problem reporting mechanism from CCADB. -- Hanno Böck https://hboeck.de/ ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
