[cabfpub] Incident report: Internal names in certs expiring after 1st November 2015
erwann.abalea at opentrust.com
Wed Nov 11 23:01:53 UTC 2015
Thanks for this work.
> Le 11 nov. 2015 à 21:52, Rob Stradling <rob.stradling at comodo.com> a écrit :
> On 09/11/15 09:12, Rob Stradling wrote:
>> OTHER CAs:
>> We widened our investigation to look for certificates with notBefore >=
>> 2nd November 2014 that chain to publicly trusted roots and include any
>> Internal Names or Reserved IP Addresses. We found non-compliant
>> certificates issued by quite a number of other CAs, but I'll document
>> these in another post.
> We've listed those "non-compliant certificates issued by quite a number
> of other CAs" in this spreadsheet:
> - The BRs defer to
> http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml for
> the list of IPv4 address ranges "that the IANA has marked as reserved".
> That page lists the 172/8 range as "LEGACY" rather than "RESERVED", so
> arguably 172.16.0.0 - 172.31.255.255 are _not_ Reserved IP Addresses
> according to the BRs. Since
> https://en.wikipedia.org/wiki/Private_network says otherwise, I've
> included that IPv4 address range in this report.
And you were right, because there’s a footnote in this ipv4-address-space.xml table saying that 172.16.0.0/12 is reserved.
The situation of 192/8 is similar albeit more complicated.
The footnotes section is interesting for people like me who don’t read all the network related RFCs.
More information about the Public