On 06/02/15 15:00, Richard Barnes wrote:
Does the FOITT cert chain up to one of the roots in the Mozilla program?
https://wiki.mozilla.org/CA:IncludedCAs
I only see 3 Swisscom roots and 3 SwissSign roots, nothing that is
obviously Swiss government.
This intermediate CA cert for "Swiss Government SSL CA 01" was issued by
the "Baltimore CyberTrust Root" built-in root.
-----BEGIN CERTIFICATE-----
MIIGKDCCBRCgAwIBAgIEBye2CTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJJ
RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE0MDkxMDE4NTAzNloX
DTE3MDkxMDE4NTAxMVowgYgxCzAJBgNVBAYTAkNIMR0wGwYDVQQKExRTd2lzcyBH
b3Zlcm5tZW50IFBLSTERMA8GA1UECxMIU2VydmljZXMxIjAgBgNVBAsTGUNlcnRp
ZmljYXRpb24gQXV0aG9yaXRpZXMxIzAhBgNVBAMTGlN3aXNzIEdvdmVybm1lbnQg
U1NMIENBIDAxMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA379210+W
I6Wl63BOe93KXb9T6mw4frXZBPgN6iKcVp4KGTOHLtCfztUrFJWWhNaapDoYcZKJ
F4vNwQsYFIPZDdYhNeaubsOsoKznei3+1PBLpNyAVTbQ2SgEZcDuVYkpoSUzu+cT
sZ/gAKYf3K1JacCdeEYRv55FXLJ991lTvKHLNNr4+IEZuOwMCqjdMKg/JF2Lh+nm
AoT2YoUFBJHYWNMyTUZZ4pZVB8PZPCeM76FJHf+zG+kQ2gQhDaEyMFqjuH7URRkj
nnV6GvenzOO7uIPiigKf9Ccpt05gnuezPKGtOwzJhpjTqOfxuVSH5HhDzDGPcrce
rfwtHRW6Rnq0ix1kHUAmC6tB6fhKwCOOnSZ04YmaKwtMsGMsEIoaZ6+h7VlllKJ/
OpVGGmTEdPzaEuJnCPUq0BuVOPWHtSyr6UcrTw4p8C+yjbE8Y99b9VkxdGGPU3vs
8ZSObJjEILcR3NnQhK4/V9bP6v9CVqh933W/Q7LdN6vjWr6VdwqYUn1q7USqIp2W
p+Q7KFg1VHh0JJTAirI9PSmsVmiWv4MXdBKFmd2PaT3w/HBEDTM5Fg8w6T0IPd26
ApQ+Yg+EAkC+GfH0JNcVR3LdnVgm/IncnNJPrq7gteN1FJ+lxsbeN0947nDpoasf
qjCUZVNcbzjeIfJEuBxZ6tCwJnrQF6Xi55UCAwEAAaOCAcUwggHBMBIGA1UdEwEB
/wQIMAYBAf8CAQAwgakGA1UdIASBoTCBnjBIBgkrBgEEAbE+AQAwOzA5BggrBgEF
BQcCARYtaHR0cDovL2N5YmVydHJ1c3Qub21uaXJvb3QuY29tL3JlcG9zaXRvcnku
Y2ZtMFIGCGCFdAERAxUCMEYwRAYIKwYBBQUHAgEWOGh0dHA6Ly93d3cucGtpLmFk
bWluLmNoL2Nwcy9DUFNfMl8xNl83NTZfMV8xN18zXzIxXzEucGRmMEIGCCsGAQUF
BwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL29jc3Aub21uaXJvb3QuY29tL2Jh
bHRpbW9yZXJvb3QwDgYDVR0PAQH/BAQDAgEGMCcGA1UdJQQgMB4GCCsGAQUFBwMB
BggrBgEFBQcDAgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU5Z1ZMIJHWMys+ghUNoZ7
OrUETfAwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NkcDEucHVibGljLXRydXN0
LmNvbS9DUkwvT21uaXJvb3QyMDI1LmNybDAdBgNVHQ4EFgQU/DVeWB34UuAr6Kyr
uYKtFRHW5s0wDQYJKoZIhvcNAQELBQADggEBAJwbVrtGL68v2T0QhiuIKpFvNCpi
2VpmyUwHY1IiIKxckiX9NoQdvSqwG9SePR3Fet9LC6d0SAnkXKTwnjP7hxTMdmMt
+TK/UnJWBBQCfMjwFRs0oAEFwyxSr04R2ZWIV/8DlTSQ3hxH2LPlgJjVosQfvdSG
nqYK0KY3c7vMRC7QbtAIrmxY4CTqtBHiPQy/CV6zdcCYxgsKl3iPxPQAHEMIG8DY
CaMW+JsRUTtdPIaXIa559nmHbG2xw/tm7Ku4ieKsd9RNkDIbE5DEi/clf1Xn8bW4
AiV4lLjW7oN6i5m4QrGeFtWIXZXBFiurMtplyoJ/wmNw70ArcqxbOc174n0=
-----END CERTIFICATE-----
On Thu, Feb 5, 2015 at 6:33 PM, <[email protected]> wrote:
Hi all
A few weeks ago, I got some mails about a broken iframe. The secure
connection to the remote server failed (OCSP error). The site was signed
by Swiss Government SSL CA 01. I contacted the technical support and
they told me, that the Federal Office of Information Technology, Systems
and Telecommunication (FOITT) of Switzerland shut down their OCSP
servers! So all secure Swiss gov sites are broken if you requires OCSP.
I contacted them directly and tried to explain why the OCSP service is a
requirement for a CA, but they do not react.
Maybe someone of the Mozilla security team could contact them again.
Regards,
Jonas
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
