On 01/19/16 01:49, Charles Reiss wrote: > Via censys.io, I found a couple SHA-1 certs with notBefore dates from this > year > which chain to root CAs in Mozilla's program: > > - https://crt.sh/?id=12089828 -- chains to Baltimore CyberTrust Root > [DigiCert] > via subCA "Eurida Primary CA" via subCA "DnB NOR ASA PKI Class G" > > Also, the OCSP responder for this certificate appears to not include a > nextUpdate field. > > > - https://crt.sh/?id=12090324 -- chains to Security Communication RootCA1 > [SECOM] via subCA "YourNet SSL for business" > > Also, this certificate is also missing OCSP information and appears to be > being > served without OCSP stapling support. >
I also found this recent SHA-1 cert that appears to chain to "IGC/A" (Government of France) -- https://crt.sh/?id=12129393 In addition to being a SHA-1 certificate issued this year: - the OCSP responder for this certificate does not seem to respond to GET requests; - the signing certificate used by the OCSP responder appears to be signed by a different subCA (https://crt.sh/?id=115 instead of https://crt.sh/?id=11159611) than the one that issued this certificate; - the signing certificate used by the OCSP responder does not include the id-pkix-ocsp-nocheck extension; - the OCSP response does not include a nextUpdate field; and - the CRL referenced by the subCA certificate (https://crt.sh/?id=11159611) has a nextUpdate 18 months after its last update date. (The BRs require at most 12 months.) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
