Re: PROCERT issuing certificates with non-random serial numbers

2017-08-16 Thread Andrew Ayer via dev-security-policy
On Wed, 16 Aug 2017 19:56:45 -0700 Andrew Ayer via dev-security-policy wrote: > Every certificate known to CT issued by PROCERT with a notBefore > date after September 30, 2016 has what appears to be a non-random > serial number:

Re: New undisclosed Camerfirma intermediates

2017-08-16 Thread Aaron Wu via dev-security-policy
Hi Jonathan, Thanks for reminding! I've sent mail to POC of AC Camerfirma and these two intermediate certs has been disclosed in CCADB now. Aaron Wu Mozilla Corporation ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

PROCERT issuing certificates with non-random serial numbers

2017-08-16 Thread Andrew Ayer via dev-security-policy
Every certificate known to CT issued by PROCERT with a notBefore date after September 30, 2016 has what appears to be a non-random serial number: https://crt.sh/?Identity=%25=750 1e:4d:94:48:00:00:00:00:0c:79 2f:84:26:06:00:00:00:00:0b:1b 3d:94:73:d1:00:00:00:00:0a:ab

Re: Bugzilla Bugs re CA issuance of non-compliant certs

2017-08-16 Thread Kathleen Wilson via dev-security-policy
Bugs filed... == Actalis == https://bugzilla.mozilla.org/show_bug.cgi?id=1390974 == Camerfirma == https://bugzilla.mozilla.org/show_bug.cgi?id=1390977 == Certinomis == https://bugzilla.mozilla.org/show_bug.cgi?id=1390978 == certSIGN == https://bugzilla.mozilla.org/show_bug.cgi?id=1390979 ==

Re: Bad characters in dNSNames

2017-08-16 Thread alex.gaynor--- via dev-security-policy
On Wednesday, August 16, 2017 at 11:22:01 AM UTC-4, Rob Stradling wrote: > BTW, I've just asked Alex to look at adding the "CA Owner" field to the > misissued.com reports. :-) > It does this now :-) Cheers, Alex ___ dev-security-policy mailing list

Re: O=U.S. Government for non-USG entity (IdenTrust)

2017-08-16 Thread Jonathan Rudenberg via dev-security-policy
> On Aug 16, 2017, at 13:44, Jonathan Rudenberg via dev-security-policy > wrote: > > After looking into this more, I’ve found that the majority of certificates > issued by the "IdenTrust ACES CA 2” and "IdenTrust ACES CA 1” intermediates > are not

Re: O=U.S. Government for non-USG entity (IdenTrust)

2017-08-16 Thread Jonathan Rudenberg via dev-security-policy
> On Aug 16, 2017, at 12:52, Jonathan Rudenberg via dev-security-policy > wrote: > > I looked through the CT logs and found 15 more unexpired unrevoked > certificates that are trusted by NSS and appear to have the same inaccurate > organizationName of

Re: Bugzilla Bugs re CA issuance of non-compliant certs

2017-08-16 Thread Kathleen Wilson via dev-security-policy
I will proceed with filing these bugs now. Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: O=U.S. Government for non-USG entity (IdenTrust)

2017-08-16 Thread Jonathan Rudenberg via dev-security-policy
> On Aug 15, 2017, at 14:53, identrust--- via dev-security-policy > wrote: > > On Friday, August 11, 2017 at 6:05:29 PM UTC-4, paul.l...@gmail.com wrote: >> On Friday, August 11, 2017 at 3:43:17 PM UTC-5, iden...@gmail.com wrote: >>> IdenTrust is fully

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

2017-08-16 Thread identrust--- via dev-security-policy
On Tuesday, August 15, 2017 at 4:42:06 PM UTC-4, Eric Mill wrote: > On Tue, Aug 15, 2017 at 2:47 PM, identrust--- via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > We have been moderately successful in replacing the five (5) > > certificates. One (1) has been

Re: Bad characters in dNSNames

2017-08-16 Thread Jonathan Rudenberg via dev-security-policy
> On Aug 16, 2017, at 11:37, Amus via dev-security-policy > wrote: > > What's wrong with the two Well's Fargo certs? I don't see any invalid > characters in them. https://crt.sh/?opt=cablint=19558707 https://crt.sh/?opt=cablint=11382596 Both have

Re: Bad characters in dNSNames

2017-08-16 Thread Amus via dev-security-policy
What's wrong with the two Well's Fargo certs? I don't see any invalid characters in them. On Wednesday, August 16, 2017 at 9:22:01 AM UTC-6, Rob Stradling wrote: > On 15/08/17 13:29, Gervase Markham via dev-security-policy wrote: > > Hi Rob, > > > > On 26/07/17 11:21, Rob Stradling wrote: > >>

Re: Bad characters in dNSNames

2017-08-16 Thread Rob Stradling via dev-security-policy
On 15/08/17 13:29, Gervase Markham via dev-security-policy wrote: Hi Rob, On 26/07/17 11:21, Rob Stradling wrote: https://docs.google.com/spreadsheets/d/1IACTYMDXcdz4DoMKxkHfePfb5mv2XN68BcB7p6acTqg/edit?usp=sharing Thanks for this. Any chance of saving me a bit of time by cross-referencing

Re: Certificate issued by D-TRUST SSL Class 3 CA 1 2009 with short SerialNumber

2017-08-16 Thread Arno Fiedler via dev-security-policy
Am Dienstag, 15. August 2017 16:21:03 UTC+2 schrieb Gervase Markham: > On 14/08/17 16:44, Arno Fiedler wrote: > > fulfilled. On 20-07-17 Mozilla asked D-TRUST for clarification, due > > to the holiday period this message reached us on 07-08-17, AF > > answered on 08-08-17 > > I was going to

RE: Certificate with invalid dnsName issued from Baltimore intermediate

2017-08-16 Thread Ben Wilson via dev-security-policy
Attached is an audit from 2016. They are due for another one for 2017. -Original Message- From: Gervase Markham [mailto:g...@mozilla.org] Sent: Tuesday, August 15, 2017 6:55 AM To: Ben Wilson ; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: