Hello Richard, only a small business unit was affected by this problem. We fixed a bug in the software configuration. SHA-1 certs can no longer be issued.
Best regards, Bernd -----Ursprüngliche Nachricht----- Von: dev-security-policy [mailto:dev-security-policy-bounces+bernd.nakonzer=t-systems....@lists.mozilla.org] Im Auftrag von Richard Barnes Gesendet: Dienstag, 2. Februar 2016 15:46 An: Nakonzer-Lotz, Bernd Cc: [email protected]; [email protected] Betreff: Re: AW: SHA1 certs issued this year chaining to included roots Hi Bernd, Could you comment on what steps you are taking to prevent further violations of this type? Thanks, --Richard Sent from my iPhone. Please excuse brevity. > On Feb 2, 2016, at 09:07, "[email protected]" > <[email protected]> wrote: > > Hello Kathleen, > > we revoked all SHA-1 certificates issued this year: > > 00a5401e9bafb23523 (Tuesday, February 2, 2016, 11:35:53) > 009d79636c84ece62a (Tuesday, February 2, 2016, 11:37:25) > 008e6c17cd66006c11 (Tuesday, February 2, 2016, 11:38:45) > 2318da5c1485012e (Friday, January 29, 2016, 12:37:36) > > 6dfb9ccc0c5333c6 (Friday, January 29, 2016, 15:10:30) > > 7d5e244530e38c13 (Friday, January 29, 2016, 13:54:00) > 00bdcda1e1e9b358e8 (Friday, January 29, 2016, 13:55:09) > 008ab83981f725ff48 (Friday, January 29, 2016, 13:57:51) > > The corresponding CRL: > http://crl.sbca.telesec.de/rl/Shared_Business_CA_3.crl > > Best regards, > > Bernd > > T-Systems International GmbH > Trust Center Applications > > > > -----Ursprüngliche Nachricht----- > Von: dev-security-policy > [mailto:dev-security-policy-bounces+bernd.nakonzer=t-systems.com@lists > .mozilla.org] Im Auftrag von Kathleen Wilson > Gesendet: Freitag, 29. Januar 2016 22:44 > An: [email protected] > Betreff: Re: SHA1 certs issued this year chaining to included roots > >> On 1/25/16 12:22 AM, Charles Reiss wrote: >>> On 01/19/16 01:49, Charles Reiss wrote: >>> Via censys.io, I found a couple SHA-1 certs with notBefore dates >>> from this year which chain to root CAs in Mozilla's program: >> [snip] >> >> And here are a couple more, from different subCAs: >> >> - https://crt.sh/?id=12131821 -- chaining to Deutsche Telekom Root CA >> 2 [T-Systems] via subCA "Shared Business CA 3" > > > I received email from Bernd of T-Systems saying that from 1 January 2016, 8 > SHA‐1 subscriber certificates (SSL) were issued via sub-CA "Shared Business > CA 3" (chaining to “Deutsche Telekom Root CA 2”) – because of converging use > cases. Other T-Systems CAs were not affected. > The problem has been fixed, so SHA-1 certs can no longer be issued. > The 8 certs will be revoked on February 5 and the corresponding CRL will be > updated/published. > > Thanks, > Kathleen > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
