On Sun, Apr 21, 2024 at 03:11:13PM -0700, 'Amir Omidi (aaomidi)' via dev-security-policy@mozilla.org wrote: > I came across an interesting certificate today: > https://crt.sh/?id=2385087905 > > According to Censys, this certificate is publicly trusted on of the major > root programs. > > This certificate has a very long lifetime, and just seems to be *weird* in > a lot of ways. Are these types of certificates okay to issue from a > publicly trusted roots/intermediates?
It *may* fall under the "this isn't a server certificate" exception, and given that it was seemingly issued in 2017 (although it may have been issued in 2020 and backdated, based on the SCT), many of the current rules around what constitutes "valid for server authentication" may not apply in any case. > It does seem that the issuer has been revoked on Mozilla per crt: > https://crt.sh/?caid=74630 Well, in that case, there's not much that Mozilla could do anyway. - Matt -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/231e6ab3-f260-4056-b5e8-0be3e8fd0572%40mtasv.net.
