[cabfpub] Test Certificates

Jeremy Rowley jeremy.rowley at digicert.com
Fri Jan 27 11:47:04 MST 2017


Apparently the list includes certificates with an OU of "For testing purpose
only" which is permissible under the BRs. Ignore the second spreadsheet as
the only relevant disclosure are the Verizon certificates issued improperly
as test certificates.

 

Jeremy

 

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
via Public
Sent: Friday, January 27, 2017 11:37 AM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Jeremy Rowley <jeremy.rowley at digicert.com>
Subject: [cabfpub] Test Certificates

 

Based on the recent post about Symantec's test certificates, we ran a
comprehensive review through crt.sh on certificates issued for "testing
purposes" that violate the baseline requirements in some manner, generally
through inclusion of incorrect O information or through an internal name in
the subjectAltName or CN. 

 

Here's what we found that chain to a DigiCert operated root:

 



 

We've requested that Verizon revoke each of these certificates and put in
place policies and procedures that ensure this does not happen again.
Verizon has already revoked two certificates. We're waiting to hear back
from them about the remaining 26.

 

Here's a general summary of what we found for the rest of the CAs. Details
on the certs are being sent to the CA running the infrastructure:


Row Labels

Count of Issuer Name


C=US, O=Oracle Corporation, OU=Symantec Trust Network, CN=Oracle SSL CA - G2

533


C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3
Secure Server CA - G4

70


C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon
Public SureServer CA G14-SHA2

23


C=US, O=Oracle Corporation, OU=VeriSign Trust Network, OU=Class 3 MPKI
Secure Server CA, CN=Oracle SSL CA

12


C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms
<http://www.entrust.net/legal-terms> , OU="(c) 2014 Entrust, Inc. - for
authorized use only", CN=Entrust Certification Authority - L1M

11


C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon
Public SureServer EV SSL CA G14-SHA2

3


C=CH, O=SwissSign AG, CN=SwissSign Server Gold CA 2008 - G2

2


C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon
Public SureCodeSign CA G14-SHA2

2


O=VeriSign Trust Network, OU="VeriSign, Inc.", OU=VeriSign International
Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY
LTD.(c)97 VeriSign

2


C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU=Terms of use at
https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Secure Server CA -
G2

2


C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network,
OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware

1


C=CH, O=SwissSign AG, CN=SwissSign EV Gold CA 2014 - G22

1


C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification
Services Division, CN=Thawte Premium Server CA,
emailAddress=premium-server at thawte.com
<mailto:emailAddress=premium-server at thawte.com> 

1


Grand Total

663

 

This is by no means comprehensive as we simply searched for certificates
labeled as "test" certificates in the identity. Let me know if you have
questions. I sent this only to the CAB Forum mailing list of now, although
I'm happy to share it with the Mozilla dev policy list as well.

 

Jeremy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170127/49288cf1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 2612091 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20170127/49288cf1/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20170127/49288cf1/attachment-0001.bin>


More information about the Public mailing list