On 01/19/16 03:37, Charles Reiss wrote: > On 01/19/16 03:23, Kurt Roeckx wrote: >> On Tue, Jan 19, 2016 at 01:49:21AM +0000, Charles Reiss wrote: >>> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this >>> year >>> which chain to root CAs in Mozilla's program: >> >> I also have some from C=US,O=VeriSign\, Inc.,OU=VeriSign Trust >> Network,OU=Terms of use at https://www.verisign.com/rpa >> (c)10,CN=VeriSign Class 3 International Server CA - G3". I'm not >> sure that CA is still included, but I think it it. >> >> It includes certificates like C=US,ST=California,L=Mountain >> View,O=Symantec Corp.,CN=psslnoov.symantec.com > > https://crt.sh/?id=11876802 would be an example then.
On further investigation, this certificate is revoked, at 4 Jan 2016 17:42 UTC according to the CRL (and the OCSP server also responds accordingly). (Its notBefore datetime is 4 Jan 2016 00:00 UTC.) > > The Class 3 Internal Server CA - G3 appears to have a cert issued from > "VeriSign > Class 3 Public Primary Certification Authority - G5", which is an included CA > with the websites trust bit enabled. > > >> I didn't have time to file bugs for this yet. >> >> >> Kurt >> > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
