On a quick re-read of the Baseline Requirements, what DigiCert did here is unusual, but per the letter of the law, not forbidden.
Ar Iau, 21 Mai 2026 am 10:13 Hanno Böck <[email protected]> ysgrifennodd: > Hi, > > This issue was brought up recently on the mailop list by Geert > Hendrickx, but it has no public archive, so I can't link to it. > > It appears Microsoft MX servers are using certificates from DigiCert > that are chaining to an obsolete root certiifcate. > > E.g., for the host > outlook-com.olc.protection.outlook.com.:25 > I get a cert chain with a leaf cert signed by > DigiCert Cloud Services CA-1 > This intermediate cert is signed by > DigiCert Global Root CA > > DigiCert declared this root to be TLS-distrusted by April 15, 2026: > > https://knowledge.digicert.com/general-information/digicert-root-and-intermediate-ca-certificate-updates-2023 > > Subsequently, Mozilla removed the trust bit: > https://wiki.mozilla.org/CA/Root_CA_Lifecycles > > Most Linux distros have some form of certificate package that > indirectly utilizes the Mozilla root store. I've heard a report from > someone already affected by this using the latest nixos package. > > Due to MTA-STS, an untrusted MX certificate leads to connection > failures. > > While I'm not sure if this is any form of policy violation, it is > certianly surprising that DigiCert declared a root as "TLS-distrusted" > and did not make sure that all certs chaining to that root are expired > or revoked/replaced. > > -- > Hanno Böck - Independent security researcher > https://itsec.hboeck.de/ > https://badkeys.info/ > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20260521101253.2522b540%40hboeck.de > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMEWqGvkfXs1fBR10gV1jEHzJHPkAQCr1Sq8A%3DfLiLzzX2DjkQ%40mail.gmail.com.
