On 02/05/16 20:13, [email protected] wrote: > Here's a list of all certificates with SHA-1 signatures and notBefore >= > 2016-01-01, logged in the Certificate Transparency Log: > https://crt.sh/?cablint=211&minNotBefore=2016-01-01
Some notes on how these look as of now. The listed subCA CNs are: - DOD CA-28 - DOD CA-27 These chain to DST ACES CA X6, see https://bugzilla.mozilla.org/show_bug.cgi?id=1037590#c21 and https://cabforum.org/pipermail/public/2016-February/006696.html - Intel External Basic Issuing CA 3A These chain through a technically constrained subordinate CA https://crt.sh/?id=1250505 - Symantec Private SSL SHA1 CA These chain to the 1024-bit VeriSign roots 'Class 3 Public Primary Certification Authority' and 'Class 3 Public Primary Certification Authority - G2' which are no longer included in Mozilla's root program. Curiously, the similar COMODO CA 'COMODO Domain Validation Legacy Server CA 2' (chains to retired root 'UTN - DATACorp SGC') appears to be exempted from listing? (example cert: https://crt.sh/?id=12584167&opt=cablint) - VeriSign Class 3 Secure Server CA - G3 - VeriSign Class 3 International Server CA - G3 I believe these are the certs at https://cabforum.org/pipermail/public/2016-January/006519.html or precertificates for them. - RSA Corporate Server CA v2 - DnB NOR ASA PKI Class G - Shared Business CA 3 - TI Trust Technologies Global CA - Postecom CS3 - Aetna Inc. Certificate Authority - SHECA - AC Infrastructure - YourNet SSL for business - Verizon Public SureServer CA G14-SHA1 These have been mentioned here previously. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
