[cabfpub] Test Certificates

Jeremy Rowley jeremy.rowley at digicert.com
Fri Jan 27 18:47:04 UTC 2017

Apparently the list includes certificates with an OU of "For testing purpose
only" which is permissible under the BRs. Ignore the second spreadsheet as
the only relevant disclosure are the Verizon certificates issued improperly
as test certificates.




From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
via Public
Sent: Friday, January 27, 2017 11:37 AM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Jeremy Rowley <jeremy.rowley at digicert.com>
Subject: [cabfpub] Test Certificates


Based on the recent post about Symantec's test certificates, we ran a
comprehensive review through crt.sh on certificates issued for "testing
purposes" that violate the baseline requirements in some manner, generally
through inclusion of incorrect O information or through an internal name in
the subjectAltName or CN. 


Here's what we found that chain to a DigiCert operated root:



We've requested that Verizon revoke each of these certificates and put in
place policies and procedures that ensure this does not happen again.
Verizon has already revoked two certificates. We're waiting to hear back
from them about the remaining 26.


Here's a general summary of what we found for the rest of the CAs. Details
on the certs are being sent to the CA running the infrastructure:

Row Labels

Count of Issuer Name

C=US, O=Oracle Corporation, OU=Symantec Trust Network, CN=Oracle SSL CA - G2


C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3
Secure Server CA - G4


C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon
Public SureServer CA G14-SHA2


C=US, O=Oracle Corporation, OU=VeriSign Trust Network, OU=Class 3 MPKI
Secure Server CA, CN=Oracle SSL CA


C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms
<http://www.entrust.net/legal-terms> , OU="(c) 2014 Entrust, Inc. - for
authorized use only", CN=Entrust Certification Authority - L1M


C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon
Public SureServer EV SSL CA G14-SHA2


C=CH, O=SwissSign AG, CN=SwissSign Server Gold CA 2008 - G2


C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon
Public SureCodeSign CA G14-SHA2


O=VeriSign Trust Network, OU="VeriSign, Inc.", OU=VeriSign International
Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY
LTD.(c)97 VeriSign


C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU=Terms of use at
https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Secure Server CA -


C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network,
OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware


C=CH, O=SwissSign AG, CN=SwissSign EV Gold CA 2014 - G22


C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification
Services Division, CN=Thawte Premium Server CA,
emailAddress=premium-server at thawte.com
<mailto:emailAddress=premium-server at thawte.com> 


Grand Total



This is by no means comprehensive as we simply searched for certificates
labeled as "test" certificates in the identity. Let me know if you have
questions. I sent this only to the CAB Forum mailing list of now, although
I'm happy to share it with the Mozilla dev policy list as well.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170127/49288cf1/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 2612091 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170127/49288cf1/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170127/49288cf1/attachment-0001.p7s>

More information about the Public mailing list