[cabfpub] [cabfquest] Fwd: SHA1 certs issued this year chaining to included roots

Ryan Sleevi sleevi at google.com
Tue Jan 19 19:40:11 UTC 2016


Reposting to the public list on Reed's request.

This discussion can be viewed at
https://groups.google.com/d/topic/mozilla.dev.security.policy/SoODejSKGv0/discussion

On Mon, Jan 18, 2016 at 6:15 PM, Reed Loden <reed at reedloden.com> wrote:

> Seems like this should go to public@ as well, considering the recent
> submission by Symantec about their 2016 SHA-1 certs?
>
>
> ---------- Forwarded message ----------
> From: Charles Reiss <woggling at gmail.com>
> Date: Mon, Jan 18, 2016 at 8:49 PM
> Subject: SHA1 certs issued this year chaining to included roots
> To: mozilla-dev-security-policy at lists.mozilla.org
>
>
> Via censys.io, I found a couple SHA-1 certs with notBefore dates from
> this year
> which chain to root CAs in Mozilla's program:
>
> - https://crt.sh/?id=12089828 -- chains to Baltimore CyberTrust Root
> [DigiCert]
> via subCA "Eurida Primary CA" via subCA "DnB NOR ASA PKI Class G"
>
> Also, the OCSP responder for this certificate appears to not include a
> nextUpdate field.
>
>
> - https://crt.sh/?id=12090324 -- chains to Security Communication RootCA1
> [SECOM] via subCA "YourNet SSL for business"
>
> Also, this certificate is also missing OCSP information and appears to be
> being
> served without OCSP stapling support.
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy at lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
> _______________________________________________
> Questions mailing list
> Questions at cabforum.org
> https://cabforum.org/mailman/listinfo/questions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160119/2c75efdc/attachment-0002.html>


More information about the Public mailing list