<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Apparently the list includes certificates with an OU of “For testing purpose only” which is permissible under the BRs. Ignore the second spreadsheet as the only relevant disclosure are the Verizon certificates issued improperly as test certificates.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Jeremy<o:p></o:p></p><p class=MsoNormal><a name="_MailEndCompose"><o:p> </o:p></a></p><span style='mso-bookmark:_MailEndCompose'></span><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Public [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Jeremy Rowley via Public<br><b>Sent:</b> Friday, January 27, 2017 11:37 AM<br><b>To:</b> CA/Browser Forum Public Discussion List <public@cabforum.org><br><b>Cc:</b> Jeremy Rowley <jeremy.rowley@digicert.com><br><b>Subject:</b> [cabfpub] Test Certificates<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Based on the recent post about Symantec’s test certificates, we ran a comprehensive review through crt.sh on certificates issued for “testing purposes” that violate the baseline requirements in some manner, generally through inclusion of incorrect O information or through an internal name in the subjectAltName or CN. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Here’s what we found that chain to a DigiCert operated root:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><img width=1309 height=448 style='width:13.6333in;height:4.6708in' id="Picture_x0020_1" src="cid:image002.png@01D27893.10ECB680"><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>We’ve requested that Verizon revoke each of these certificates and put in place policies and procedures that ensure this does not happen again. Verizon has already revoked two certificates. We’re waiting to hear back from them about the remaining 26.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Here’s a general summary of what we found for the rest of the CAs. Details on the certs are being sent to the CA running the infrastructure:<o:p></o:p></p><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=1307 style='width:980.6pt;border-collapse:collapse'><tr style='height:15.6pt'><td width=1158 nowrap valign=bottom style='width:868.6pt;border:none;border-bottom:solid #E2EFDA 1.0pt;background:#548235;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal><span style='font-size:12.0pt;color:white'>Row Labels<o:p></o:p></span></p></td><td width=149 nowrap valign=bottom style='width:112.0pt;border:none;border-bottom:solid #E2EFDA 1.0pt;background:#548235;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal><span style='font-size:12.0pt;color:white'>Count of Issuer Name<o:p></o:p></span></p></td></tr><tr style='height:15.6pt'><td width=1158 nowrap valign=bottom style='width:868.6pt;border:none;border-bottom:solid #E2EFDA 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal><span style='font-size:12.0pt;color:black'>C=US, O=Oracle Corporation, OU=Symantec Trust Network, CN=Oracle SSL CA - G2<o:p></o:p></span></p></td><td width=149 nowrap valign=bottom style='width:112.0pt;border:none;border-bottom:solid #E2EFDA 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal align=right style='text-align:right'><span style='font-size:12.0pt;color:black'>533<o:p></o:p></span></p></td></tr><tr style='height:15.6pt'><td width=1158 nowrap valign=bottom style='width:868.6pt;border:none;border-bottom:solid #E2EFDA 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal><span style='font-size:12.0pt;color:black'>C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4<o:p></o:p></span></p></td><td width=149 nowrap valign=bottom style='width:112.0pt;border:none;border-bottom:solid #E2EFDA 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal align=right style='text-align:right'><span style='font-size:12.0pt;color:black'>70<o:p></o:p></span></p></td></tr><tr style='height:15.6pt'><td width=1158 nowrap valign=bottom style='width:868.6pt;border:none;border-bottom:solid #E2EFDA 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal><span style='font-size:12.0pt;color:black'>C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon Public SureServer CA G14-SHA2<o:p></o:p></span></p></td><td width=149 nowrap valign=bottom style='width:112.0pt;border:none;border-bottom:solid #E2EFDA 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal align=right style='text-align:right'><span style='font-size:12.0pt;color:black'>23<o:p></o:p></span></p></td></tr><tr style='height:15.6pt'><td width=1158 nowrap valign=bottom style='width:868.6pt;border:none;border-bottom:solid #E2EFDA 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal><span style='font-size:12.0pt;color:black'>C=US, O=Oracle Corporation, OU=VeriSign Trust Network, OU=Class 3 MPKI Secure Server CA, CN=Oracle SSL CA<o:p></o:p></span></p></td><td width=149 nowrap valign=bottom style='width:112.0pt;border:none;border-bottom:solid #E2EFDA 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal align=right style='text-align:right'><span style='font-size:12.0pt;color:black'>12<o:p></o:p></span></p></td></tr><tr style='height:15.6pt'><td width=1158 nowrap valign=bottom style='width:868.6pt;border:none;border-bottom:solid #E2EFDA 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal><span style='font-size:12.0pt;color:black'>C=US, O="Entrust, Inc.", OU=See <a href="http://www.entrust.net/legal-terms">www.entrust.net/legal-terms</a>, OU="(c) 2014 Entrust, Inc. - for authorized use only", CN=Entrust Certification Authority - L1M<o:p></o:p></span></p></td><td width=149 nowrap valign=bottom style='width:112.0pt;border:none;border-bottom:solid #E2EFDA 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal align=right style='text-align:right'><span style='font-size:12.0pt;color:black'>11<o:p></o:p></span></p></td></tr><tr style='height:15.6pt'><td width=1158 nowrap valign=bottom style='width:868.6pt;border:none;border-bottom:solid #E2EFDA 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal><span style='font-size:12.0pt;color:black'>C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon Public SureServer EV SSL CA G14-SHA2<o:p></o:p></span></p></td><td width=149 nowrap valign=bottom style='width:112.0pt;border:none;border-bottom:solid #E2EFDA 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal align=right style='text-align:right'><span style='font-size:12.0pt;color:black'>3<o:p></o:p></span></p></td></tr><tr style='height:15.6pt'><td width=1158 nowrap valign=bottom style='width:868.6pt;border:none;border-bottom:solid #E2EFDA 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal><span style='font-size:12.0pt;color:black'>C=CH, O=SwissSign AG, CN=SwissSign Server Gold CA 2008 - G2<o:p></o:p></span></p></td><td width=149 nowrap valign=bottom style='width:112.0pt;border:none;border-bottom:solid #E2EFDA 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal align=right style='text-align:right'><span style='font-size:12.0pt;color:black'>2<o:p></o:p></span></p></td></tr><tr style='height:15.6pt'><td width=1158 nowrap valign=bottom style='width:868.6pt;border:none;border-bottom:solid #E2EFDA 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal><span style='font-size:12.0pt;color:black'>C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon Public SureCodeSign CA G14-SHA2<o:p></o:p></span></p></td><td width=149 nowrap valign=bottom style='width:112.0pt;border:none;border-bottom:solid #E2EFDA 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal align=right style='text-align:right'><span style='font-size:12.0pt;color:black'>2<o:p></o:p></span></p></td></tr><tr style='height:15.6pt'><td width=1158 nowrap valign=bottom style='width:868.6pt;border:none;border-bottom:solid #E2EFDA 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal><span style='font-size:12.0pt;color:black'>O=VeriSign Trust Network, OU="VeriSign, Inc.", OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign<o:p></o:p></span></p></td><td width=149 nowrap valign=bottom style='width:112.0pt;border:none;border-bottom:solid #E2EFDA 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal align=right style='text-align:right'><span style='font-size:12.0pt;color:black'>2<o:p></o:p></span></p></td></tr><tr style='height:15.6pt'><td width=1158 nowrap valign=bottom style='width:868.6pt;border:none;border-bottom:solid #E2EFDA 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal><span style='font-size:12.0pt;color:black'>C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU=Terms of use at <a href="https://www.verisign.com/rpa">https://www.verisign.com/rpa</a> (c)09, CN=VeriSign Class 3 Secure Server CA - G2<o:p></o:p></span></p></td><td width=149 nowrap valign=bottom style='width:112.0pt;border:none;border-bottom:solid #E2EFDA 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal align=right style='text-align:right'><span style='font-size:12.0pt;color:black'>2<o:p></o:p></span></p></td></tr><tr style='height:15.6pt'><td width=1158 nowrap valign=bottom style='width:868.6pt;border:none;border-bottom:solid #E2EFDA 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal><span style='font-size:12.0pt;color:black'>C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware<o:p></o:p></span></p></td><td width=149 nowrap valign=bottom style='width:112.0pt;border:none;border-bottom:solid #E2EFDA 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal align=right style='text-align:right'><span style='font-size:12.0pt;color:black'>1<o:p></o:p></span></p></td></tr><tr style='height:15.6pt'><td width=1158 nowrap valign=bottom style='width:868.6pt;border:none;border-bottom:solid #E2EFDA 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal><span style='font-size:12.0pt;color:black'>C=CH, O=SwissSign AG, CN=SwissSign EV Gold CA 2014 - G22<o:p></o:p></span></p></td><td width=149 nowrap valign=bottom style='width:112.0pt;border:none;border-bottom:solid #E2EFDA 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal align=right style='text-align:right'><span style='font-size:12.0pt;color:black'>1<o:p></o:p></span></p></td></tr><tr style='height:15.6pt'><td width=1158 nowrap valign=bottom style='width:868.6pt;border:none;border-bottom:solid #E2EFDA 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal><span style='font-size:12.0pt;color:black'>C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA, <a href="mailto:emailAddress=premium-server@thawte.com">emailAddress=premium-server@thawte.com</a><o:p></o:p></span></p></td><td width=149 nowrap valign=bottom style='width:112.0pt;border:none;border-bottom:solid #E2EFDA 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal align=right style='text-align:right'><span style='font-size:12.0pt;color:black'>1<o:p></o:p></span></p></td></tr><tr style='height:15.6pt'><td width=1158 nowrap valign=bottom style='width:868.6pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal><b><span style='font-size:12.0pt;color:black'>Grand Total<o:p></o:p></span></b></p></td><td width=149 nowrap valign=bottom style='width:112.0pt;padding:0in 5.4pt 0in 5.4pt;height:15.6pt'><p class=MsoNormal align=right style='text-align:right'><b><span style='font-size:12.0pt;color:black'>663<o:p></o:p></span></b></p></td></tr></table><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>This is by no means comprehensive as we simply searched for certificates labeled as “test” certificates in the identity. Let me know if you have questions. I sent this only to the CAB Forum mailing list of now, although I’m happy to share it with the Mozilla dev policy list as well.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Jeremy<o:p></o:p></p></div></body></html>