On 01/26/16 20:33, Ben Wilson wrote: > The SHA1 certificate issued by Postecom.it with serial number > 35:6c:f3:ee:ae:90:77:cd:11:aa:11:ec:1d:62:fd:e5:16:b7:ef:09 has been revoked. > > Here is the corresponding CRL: > http://postecert.poste.it/postecomcs3/crl.crl
How about this one? https://crt.sh/?id=12501194&opt=cablint Has/Will PosteCom scanned their logs for other misissued certificates? > Ben > > -----Original Message----- > From: Marco Bongiovanni [mailto:[email protected]] > Sent: Tuesday, January 26, 2016 6:05 AM > > we communicate that we have revoked the certificate referred to > https://crt.sh/?id= > > -----Original Message----- > From: Ben Wilson > Sent: Monday, January 25, 2016 10:08 AM > To: 'Charles Reiss' <[email protected]>; > [email protected] > Subject: RE: SHA1 certs issued this year chaining to included roots > > Thanks for spotting this Charles. We've reached out to Postecom.it for an > explanation and with a request that they revoke the certificate immediately > and reissue it with the proper contents. > Ben Wilson > DigiCert VP of Compliance > > -----Original Message----- > From: dev-security-policy > [mailto:[email protected]] On > Behalf Of Charles Reiss > Sent: Monday, January 25, 2016 1:23 AM > To: [email protected] > Subject: Re: SHA1 certs issued this year chaining to included roots > > On 01/19/16 01:49, Charles Reiss wrote: >> Via censys.io, I found a couple SHA-1 certs with notBefore dates from >> this year which chain to root CAs in Mozilla's program: > [snip] > > And here are a couple more, from different subCAs: > > - https://crt.sh/?id=12131821 -- chaining to Deutsche Telekom Root CA 2 > [T-Systems] via subCA "Shared Business CA 3" > > > - https://crt.sh/?id=12203339 -- chaining to Baltimore CyberTrust Root > (again) this time via (presumably external) subCA "Postecom CS3" > > Also, the OCSP responder for this certificate appears to use an OCSP > responder certificate for some subCA with CN=Postecom CA3 (instead of CS3). > > Even SHA-256 certificates from this subCA (e.g. > https://crt.sh/?id=12138276) appear to have an Authority Key Identifier > extension that specifies the serial number of the subCA cert instead of the > keyid: > > X509v3 Authority Key Identifier: > DirName:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root > serial:07:27:52:62 > > Does this mean they couldn't be used with a SHA-256 version of the subCA > certificate? > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy

