On 03/19/2015 01:01 PM, Peter Bowen wrote: > On Wed, Mar 18, 2015 at 12:40 PM, Kathleen Wilson <[email protected]> wrote: >> I propose removing the following root cert from NSS, due to inadequate audit >> statements. >> >> Issuer: >> CN = e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi >> O = Elektronik Bilgi Guvenligi A.S. >> C = TR > > In the Pilot CT log, which includes every certificate that the Google > crawler has seen, I found 19 unexpired certificates issued by this CA. > Their subjects are as follows (using the default OpenSSL DN to string > method):
... > Subject: C=TR, ST=Dazk\xC4\xB1r\xC4\xB1, L=Afyon, > O=Dazk\xC4\xB1r\xC4\xB1, OU=Dazk\xC4\xB1r\xC4\xB1 Belediyesi, > CN=online.dazkiri.bel.tr More on this certificate (reproduced as PEM following the rest of this message): * it has no subject alternative name extension * the OCSP responder returns "unknown" as its status * it has a 1024-bit RSA key Looking at another certificate (Subject: C=TR, ST=Istanbul, L=Istanbul, O=Eczacibasi Bilisim San. ve Tic. A.S., OU=Altyapi ve Teknoloji Hizmetleri, CN=*.ebi.com.tr/[email protected]): * it also has no subject alternative name extension * the OCSP responder also returns "unknown" as its status * it was signed with sha1WithRSAEncryption despite expiring after 1 January 2017 ... > Given this ratio, I find it very hard to believe that they would be > able to receive an audit report without qualifications that Mozilla > would deem unacceptable. Maybe I'm misinterpreting what you're saying, but did you mean "acceptable" here? Cheers, David PEM for CN=online.dazkiri.bel.tr: -----BEGIN CERTIFICATE----- MIIETDCCAzSgAwIBAgIRAI+EB2HpuvSdeuy5EvlUiDMwDQYJKoZIhvcNAQEFBQAw dTELMAkGA1UEBhMCVFIxKDAmBgNVBAoTH0VsZWt0cm9uaWsgQmlsZ2kgR3V2ZW5s aWdpIEEuUy4xPDA6BgNVBAMTM2UtR3V2ZW4gS29rIEVsZWt0cm9uaWsgU2VydGlm aWthIEhpem1ldCBTYWdsYXlpY2lzaTAeFw0xNDExMTgxMDU5MDZaFw0xNTExMTgx MDU5MDZaMIGEMQswCQYDVQQGEwJUUjESMBAGA1UECAwJRGF6a8SxcsSxMQ4wDAYD VQQHEwVBZnlvbjESMBAGA1UECgwJRGF6a8SxcsSxMR0wGwYDVQQLDBREYXprxLFy xLEgQmVsZWRpeWVzaTEeMBwGA1UEAxMVb25saW5lLmRhemtpcmkuYmVsLnRyMIGf MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2rFTFdnka6opmFqtW/GbqP9oWS9Ki nmDPfh31eOr7niG1Eowzi96JUgACSNLpN85+2P+2Tqn36rW6+udcjKZL42K5ZD6G SqGb5dBlhCb6uf+iGTl3y5Tl6TRhgWltQ6o+rJZpgm9gL0tKyYinB8exg4H7vapN 2rlzCJxOsvBSGQIDAQABo4IBSTCCAUUwdQYIKwYBBQUHAQEEaTBnMC4GCCsGAQUF BzABhiJodHRwOi8vb2NzcDIuZS1ndXZlbi5jb20vb2NzcC54dWRhMDUGCCsGAQUF BzAChilodHRwOi8vd3d3LmUtZ3V2ZW4uY29tL2RvY3VtZW50cy9LT0syLmNydDAT BgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAwEQYJYIZIAYb4QgEB BAQDAgbAMB8GA1UdIwQYMBaAFJ/uRLOU1fqRTy7ZVZoEVtstxNulMFQGA1UdHwRN MEswSaBHoEWGQ2h0dHA6Ly9zaWwuZS1ndXZlbi5jb20vRWxla3Ryb25pa0JpbGdp R3V2ZW5saWdpQVNSb290L0xhdGVzdENSTC5jcmwwHQYDVR0OBBYEFJNe50spvhUt HUbMbqMFGDfF0qTyMA0GCSqGSIb3DQEBBQUAA4IBAQBeXAvJIwskIjCI+rP0QK7P 9PwmckqNs+D8SgCpyS/Q9G37iD6E4KjaW/VTdoorkITs8kjnZrynymRBRcmqVcyp lRzOpVVkT2av6Brg0Z+iB/VMjNiG98QIHSo8N+n1dt7vAAiqZaLlywZngum/U6Xj IOz/22nWrqMxsx9VPUkXsLiroir29P7061FlffEBMCsSI0Yjh8KiU+RVEZt2lZ0F MHhtRvL4fnC68B7N5P31bIQGcX5Wwz59FBRieVZuiZkQ4YdBfJgb84DP/JSJg184 QKMPHacmlrLVcyJuvOboep2PRTpdmrP/O4Rsw/nI63ZhvEksq04up2BBA6gAqW1z -----END CERTIFICATE----- PEM for CN=*.ebi.com.tr: -----BEGIN CERTIFICATE----- MIIFDjCCA/agAwIBAgIQTjVOvxHxokEvhXt2QlK3YTANBgkqhkiG9w0BAQUFADB1 MQswCQYDVQQGEwJUUjEoMCYGA1UEChMfRWxla3Ryb25payBCaWxnaSBHdXZlbmxp Z2kgQS5TLjE8MDoGA1UEAxMzZS1HdXZlbiBLb2sgRWxla3Ryb25payBTZXJ0aWZp a2EgSGl6bWV0IFNhZ2xheWljaXNpMB4XDTE1MDMxMjEzMzIwM1oXDTE3MDMxMjEz MzIwM1owgcMxCzAJBgNVBAYTAlRSMREwDwYDVQQIEwhJc3RhbmJ1bDERMA8GA1UE BxMISXN0YW5idWwxLTArBgNVBAoTJEVjemFjaWJhc2kgQmlsaXNpbSBTYW4uIHZl IFRpYy4gQS5TLjEoMCYGA1UECxMfQWx0eWFwaSB2ZSBUZWtub2xvamkgSGl6bWV0 bGVyaTEVMBMGA1UEAxMMKi5lYmkuY29tLnRyMR4wHAYJKoZIhvcNAQkBFg9pbmZv QGViaS5jb20udHIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCy1Avc JkCv3XCSB3XVs1EZ79ZByBfwSOMl4Uh/gSpgmIp/lW095zPHuAHBfDtre5BmRe3N 92wrCa+vq7j97mgwf+G32GzUs2XzNLJPxgdOgeAa5j+sJa/m+udgJ3X7WpArFoYG 5Kotnw/ZzGFFz4uByPgIA+m+4v3m7BuOgVgpxz/jxmw8e/d3svj/t55D8faHxYG9 tMbkR/FGAfZ9jczz3meq+7wtEY3mEBwmuy82x7I2bjyleE+n/yM+FQpeaoKwFdrc 6VWJu1RXtcYACuC6fk6vTL8GiSoUhkjoGmBmN/pljNtoceU7XXKKCAL9SdaQCBfC encyJJetXUZ+1JsNAgMBAAGjggFJMIIBRTB1BggrBgEFBQcBAQRpMGcwLgYIKwYB BQUHMAGGImh0dHA6Ly9vY3NwMi5lLWd1dmVuLmNvbS9vY3NwLnh1ZGEwNQYIKwYB BQUHMAKGKWh0dHA6Ly93d3cuZS1ndXZlbi5jb20vZG9jdW1lbnRzL0tPSzIuY3J0 MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIFoDARBglghkgBhvhC AQEEBAMCBsAwHwYDVR0jBBgwFoAUn+5Es5TV+pFPLtlVmgRW2y3E26UwVAYDVR0f BE0wSzBJoEegRYZDaHR0cDovL3NpbC5lLWd1dmVuLmNvbS9FbGVrdHJvbmlrQmls Z2lHdXZlbmxpZ2lBU1Jvb3QvTGF0ZXN0Q1JMLmNybDAdBgNVHQ4EFgQUMS6OF6ng nRVKM/AS9npoz6NahIswDQYJKoZIhvcNAQEFBQADggEBAICzA+K2Qne6px4/Fxhy AI0aCQDf2Z75hFNc0Agi0QdYzYnZYU98+3WmTbnpExVxCq/mX9MVvatZ9AOyRTm+ zrUKFjAz8FSzTK6HA//o21rUONQk57pYTqy7qB5PHkN7NIthmXcC4gDoGl4D293A w2CNdZlPmiAUYpUPwiQ1OwrfNa0YajRwlD1biBJZWGrymLVVLAxRjV33a5ecuxJM c7eCJEJj0GDssHbmI96qqXgMRbNkVLiPJxNEIkEoMS1vvv6GPgNRasaDOlffoljM 7VQKW+xuI18hJQKbLu97dWLfVU5PprlHbZ5HL0woIj9ppxoDi0BsbY4OO9DBHmH4 KBo= -----END CERTIFICATE----- _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
