Re: Certificate with invalid dnsName

2017-07-19 Thread Charles Reiss via dev-security-policy
On 07/19/2017 06:03 PM, Tom wrote: Following that discovery, I've search for odd (invalid?) DNS names. Here is the list of certificated I've found, it may overlap some discovery already reported. If I'm correct, theses certificate are not revoked, not expired, and probably trusted by Mozilla

RE: Certificate with invalid dnsName

2017-07-19 Thread Jeremy Rowley via dev-security-policy
Thank you, Charles and Tom, for bringing this to the forefront. We have contacted the cross-signed partner and asked for an explanation. We've also demanded revocation within 24 hours and a full scan to determine whether any other certificates exist. Jeremy -Original Message- From:

Re: Certificate with invalid dnsName

2017-07-19 Thread Charles Reiss via dev-security-policy
On 07/19/2017 06:03 PM, Tom wrote: Following that discovery, I've search for odd (invalid?) DNS names. Here is the list of certificated I've found, it may overlap some discovery already reported. If I'm correct, theses certificate are not revoked, not expired, and probably trusted by Mozilla

Re: TunRootCA2 root inclusion request

2017-07-19 Thread Charles Reiss via dev-security-policy
On 07/19/2017 05:10 AM, Aaron Wu wrote: - Tunisian Server Certificate Authority - TunServerCA2 https://crt.sh/?id=79470561=cablint is a certificate for the internal name 'adv-mail.calladvance.local' issued by this CA with a notBefore of 2017. ___

Re: Certificate with invalid dnsName

2017-07-19 Thread Tom via dev-security-policy
Following that discovery, I've search for odd (invalid?) DNS names. Here is the list of certificated I've found, it may overlap some discovery already reported. If I'm correct, theses certificate are not revoked, not expired, and probably trusted by Mozilla (crt.sh issuer are marked trusted by

Re: [EXT] Symantec Update on SubCA Proposal

2017-07-19 Thread Eric Mill via dev-security-policy
On Wed, Jul 19, 2017 at 11:31 AM, Steve Medin via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > -Original Message- > > From: dev-security-policy [mailto:dev-security-policy- > > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > > Jakob Bohm via

Re: [EXT] Symantec Update on SubCA Proposal

2017-07-19 Thread David E. Ross via dev-security-policy
On 7/19/2017 8:31 AM, Steve Medin wrote: >> -Original Message- >> From: dev-security-policy [mailto:dev-security-policy- >> bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of >> Jakob Bohm via dev-security-policy >> Sent: Tuesday, July 18, 2017 4:39 PM >> To:

Re: [EXT] Symantec Update on SubCA Proposal

2017-07-19 Thread Jakob Bohm via dev-security-policy
On 19/07/2017 17:31, Steve Medin wrote: -Original Message- From: dev-security-policy [mailto:dev-security-policy- bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of Jakob Bohm via dev-security-policy Sent: Tuesday, July 18, 2017 4:39 PM To:

RE: [EXT] Symantec Update on SubCA Proposal

2017-07-19 Thread Steve Medin via dev-security-policy
> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Jakob Bohm via dev-security-policy > Sent: Tuesday, July 18, 2017 4:39 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re:

Re: [EXT] Symantec Update on SubCA Proposal

2017-07-19 Thread Alex Gaynor via dev-security-policy
Hi Steve, Thank you for this update on Symantec's progress. I have a few follow-up questions: 1) Did any of the RFP respondents indicate that they could provide the Managed CA solution in the timeframe originally proposed by Google? (August 8th) Alternatively, is December 1st, 2017 the

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-19 Thread Rob Stradling via dev-security-policy
On 19/07/17 15:31, Jeremy Rowley via dev-security-policy wrote: You should also filter out expired certs as they aren't usable. I've added a 2nd tab that just shows unexpired certs. I'll also add a column to track the revocation status of each of these certs. I've left the expired certs in

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-19 Thread Rob Stradling via dev-security-policy
Hi Alex. This is about issuance (mal)practices, so therefore I didn't omit certs that are already revoked. On 19/07/17 15:29, Alex Gaynor via dev-security-policy wrote: I think there might be a bug in your SQL, one of the offending certs is issued by "C=US, O=U.S. Government, OU=Department of

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-19 Thread Jeremy Rowley via dev-security-policy
You should also filter out expired certs as they aren't usable. > On Jul 19, 2017, at 8:30 AM, Alex Gaynor via dev-security-policy > wrote: > > I think there might be a bug in your SQL, one of the offending certs is > issued by "C=US, O=U.S. Government,

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-19 Thread Alex Gaynor via dev-security-policy
I think there might be a bug in your SQL, one of the offending certs is issued by "C=US, O=U.S. Government, OU=Department of Homeland Security, OU=Certification Authorities, OU=DHS CA4", who are revoked using OneCRL. Alex On Wed, Jul 19, 2017 at 10:08 AM, Rob Stradling via dev-security-policy <

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-19 Thread Peter Gutmann via dev-security-policy
Hanno Böck via dev-security-policy writes: >More dotdot-certificates: Given how widespread (meaning from different CAs) these are, is there some quirk of a widely-used resolver library that allows them? I've done a bit of impromptu testing of various

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-19 Thread Rob Stradling via dev-security-policy
On 18/07/17 16:57, Hanno Böck via dev-security-policy wrote: (Due to limitations in the search methodology - scraping crt.sh search results and looping through tlds - I only searched for ..tld. It would certainly be valuable to search further.) Here's a report of all "double dot" certs known

Miss-issuance: URI in dNSName SAN

2017-07-19 Thread Alex Gaynor via dev-security-policy
Morning all, I'd like to report the following instance of miss-issuance: All of the following contain a URI in a dNSName SAN entry. These certificates are neither revoked, nor expired, and all are from CAs currently trusted by the Mozilla Root Program. https://crt.sh/?id=124094761=cablint

Re: TunRootCA2 root inclusion request

2017-07-19 Thread Charles Reiss via dev-security-policy
On 07/19/17 05:10, Aaron Wu wrote: - Tunisian Server Certificate Authority - TunServerCA2 https://crt.sh/?id=21813439 is a certificate issued by this CA which has a domain name in the common name but only an email address in the SAN. (The certificate has TLS server/client usage EKUs.)

TunRootCA2 root inclusion request

2017-07-19 Thread Aaron Wu via dev-security-policy
This request from the Government of Tunisia is to include the “Tunisian Root Certificate Authority - TunRootCA2” root certificate, and enable the Websites trust bit. The request is documented in the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1233645 BR Self Assessment is

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-19 Thread Nick Lamb via dev-security-policy
On Tuesday, 18 July 2017 20:29:50 UTC+1, Jeremy Rowley wrote: > Some of these certs are really old. Is there a reason people were using > double dot names? Are they all mistakes in the certificate request or is > there some logic behind them? Unless I see good evidence to the contrary I will