[cabfpub] Incident report: Internal names in certs expiring after 1st November 2015

Erwann Abalea erwann.abalea at opentrust.com
Wed Nov 11 23:01:53 UTC 2015


Thanks for this work.

> Le 11 nov. 2015 à 21:52, Rob Stradling <rob.stradling at comodo.com> a écrit :
> On 09/11/15 09:12, Rob Stradling wrote:
> <snip>
>> We widened our investigation to look for certificates with notBefore >=
>> 2nd November 2014 that chain to publicly trusted roots and include any
>> Internal Names or Reserved IP Addresses.  We found non-compliant
>> certificates issued by quite a number of other CAs, but I'll document
>> these in another post.
> We've listed those "non-compliant certificates issued by quite a number 
> of other CAs" in this spreadsheet:
> https://docs.google.com/spreadsheets/d/13J1gm_3FX-K-3wgC8OuN2znevW_VzWv21ya76BK5OrM/edit?usp=sharing
> Notes:


>   - The BRs defer to 
> http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml for 
> the list of IPv4 address ranges "that the IANA has marked as reserved". 
>  That page lists the 172/8 range as "LEGACY" rather than "RESERVED", so 
> arguably - are _not_ Reserved IP Addresses 
> according to the BRs.  Since 
> https://en.wikipedia.org/wiki/Private_network says otherwise, I've 
> included that IPv4 address range in this report.

And you were right, because there’s a footnote in this ipv4-address-space.xml table saying that is reserved.
The situation of 192/8 is similar albeit more complicated.

The footnotes section is interesting for people like me who don’t read all the network related RFCs.

Erwann Abalea

More information about the Public mailing list