Hello,
I've been informed that all certificates identified as erroneous in this
analysis have been revoked.
Best Regards
Juan Angel
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-securi
ate Server II - 2015
> - Camerfirma Corporate Server - 2009
> - AC CAMERFIRMA AAPP
>
> We discovered 81 certificates that we didn't discover in our previous
> manual analyzes of crt.sh. These misissued certificates were due to the
> fact that we had incorrect implementations of TSL
nalyzes of crt.sh. These misissued certificates were due to the fact that we
had incorrect implementations of TSL/SSL certificates, each of the errors was
previously corrected.
The reasons why they are incorrect are:
- (3) cablint ERROR commonNames in BR certificates must be from SAN entries
- (
On Wednesday, August 9, 2017 at 9:53:14 PM UTC-4, Alex Gaynor wrote:
> (Whoops, accidentally originally CC'd to m.d.s originally! Original mail
> was to IdenTrust)
>
> Hi,
>
> The following certificates appear to be misissued:
>
> https://crt.sh/?id=77893170&opt=cablint
> https://crt.sh/?id=7794
On 10/08/17 19:35, Jeremy Rowley wrote:
> This is interesting. We had one Sub CA who mis-issued some pre-certs but
> then never issued an actual certificate tied to the pre-certificate. There
> was a previous Mozilla discussion (link coming) where mis-issuance of a
> pre-certificate was akin to m
On August 10, 2017 at 9:44:01 PM, Jakob Bohm via dev-security-policy (
dev-security-policy@lists.mozilla.org) wrote:
On 11/08/2017 00:29, Jonathan Rudenberg wrote:
>
>> On Aug 10, 2017, at 17:04, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>>
>> Can anyone po
On 11/08/2017 00:29, Jonathan Rudenberg wrote:
On Aug 10, 2017, at 17:04, Jakob Bohm via dev-security-policy
wrote:
Can anyone point out a real world X.509 framework that gets confused by
a redundant pathlen:0 in a CA:FALSE certificate? (Merely to assess the
seriousness of the issue, given
> On Aug 10, 2017, at 17:04, Jakob Bohm via dev-security-policy
> wrote:
>
> Can anyone point out a real world X.509 framework that gets confused by
> a redundant pathlen:0 in a CA:FALSE certificate? (Merely to assess the
> seriousness of the issue, given that the certificate was already
> rev
On Thursday, August 10, 2017 at 12:21:18 PM UTC-4, Ryan Sleevi wrote:
> On Thu, Aug 10, 2017 at 11:55 AM, identrust--- via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > On Thursday, August 10, 2017 at 12:23:55 AM UTC-4, Lee wrote:
> > > What's it going to take for moz
On 10/08/2017 20:14, Matthew Hardeman wrote:
Similarly, the cert at https://crt.sh/?id=92235998 has SAN dnsName of
ev-valid.identrustssl.com
It has a normal 2 year validity period.
Which again sounds like a certificate administratively created to serve as a
test point certificate for the root
Forwarding to the right (cert-related) group
Forwarded Message
Subject: Misissued certificates - pathLenConstraint with CA:FALSE
Date: Wed, 9 Aug 2017 19:25:31 -0400
From: Alex Gaynor
To: helpd...@identrust.com, dev-secur...@lists.mozilla.org
Hi,
The following certificates
Sent: Thursday, August 10, 2017 10:44 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Misissued certificates
On Thursday, 10 August 2017 16:55:22 UTC+1, iden...@gmail.com wrote:
> certificates contain the issue. Three (3) of these are real
> certificates; however, one has
Similarly, the cert at https://crt.sh/?id=92235998 has SAN dnsName of
ev-valid.identrustssl.com
It has a normal 2 year validity period.
Which again sounds like a certificate administratively created to serve as a
test point certificate for the root programs.
I don't know whether it was noticed or if it matters to anyone, but I did note
that for at least one of these certificates, particularly the one at
https://crt.sh/?id=92235996 , that the sole SAN dnsName for the certificate is
ev-expired.identrustssl.com.
The cert also had a whopping 24 hours o
On Thursday, 10 August 2017 16:55:22 UTC+1, iden...@gmail.com wrote:
> certificates contain the issue. Three (3) of these are real certificates;
> however, one has expired. We have revoked the other two certificates. The
> remaining two (2) are pre-certificates.
To clear this up for anybody who
My apologies, it was pointed out to me off list that two of these are
pre-certs for other certs in that batch.
Alex
On Thu, Aug 10, 2017 at 12:19 PM, Alex Gaynor wrote:
> Hi IdenTrust,
>
> When you say that the remaining two are pre-certificates, are you
> asserting that no corresponding certif
On Thu, Aug 10, 2017 at 11:55 AM, identrust--- via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Thursday, August 10, 2017 at 12:23:55 AM UTC-4, Lee wrote:
> > What's it going to take for mozilla to set up near real-time
> > monitoring/auditing of certs showing up in ct
Hi IdenTrust,
When you say that the remaining two are pre-certificates, are you asserting
that no corresponding certificate was ever issued? Or merely that we can't
prove one was based on what's in the existing CT logs?
Alex
On Thu, Aug 10, 2017 at 11:55 AM, identrust--- via dev-security-policy
On Thursday, August 10, 2017 at 12:23:55 AM UTC-4, Lee wrote:
> What's it going to take for mozilla to set up near real-time
> monitoring/auditing of certs showing up in ct logs?
>
> Lee
>
> On 8/9/17, Alex Gaynor via dev-security-policy
> wrote:
> > (Whoops, accidentally originally CC'd to m.d.
Lee,
Different parts of Mozilla does monitor CT, both for internal IT
purposes, as well as research into the WebPKI. It seems like crt.sh does
a great job already of handling cablint/x509lint of newly-observed certs.
What are you looking for Mozilla to provide here that isn't already
being accomp
What's it going to take for mozilla to set up near real-time
monitoring/auditing of certs showing up in ct logs?
Lee
On 8/9/17, Alex Gaynor via dev-security-policy
wrote:
> (Whoops, accidentally originally CC'd to m.d.s originally! Original mail
> was to IdenTrust)
>
> Hi,
>
> The following cert
(Whoops, accidentally originally CC'd to m.d.s originally! Original mail
was to IdenTrust)
Hi,
The following certificates appear to be misissued:
https://crt.sh/?id=77893170&opt=cablint
https://crt.sh/?id=77947625&opt=cablint
https://crt.sh/?id=78102129&opt=cablint
https://crt.sh/?id=92235995&op
22 matches
Mail list logo