On 01/19/16 01:49, Charles Reiss wrote: > Via censys.io, I found a couple SHA-1 certs with notBefore dates from this > year > which chain to root CAs in Mozilla's program: [snip]
And here are a couple more, from different subCAs: - https://crt.sh/?id=12131821 -- chaining to Deutsche Telekom Root CA 2 [T-Systems] via subCA "Shared Business CA 3" - https://crt.sh/?id=12203339 -- chaining to Baltimore CyberTrust Root (again) this time via (presumably external) subCA "Postecom CS3" Also, the OCSP responder for this certificate appears to use an OCSP responder certificate for some subCA with CN=Postecom CA3 (instead of CS3). Even SHA-256 certificates from this subCA (e.g. https://crt.sh/?id=12138276) appear to have an Authority Key Identifier extension that specifies the serial number of the subCA cert instead of the keyid: X509v3 Authority Key Identifier: DirName:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root serial:07:27:52:62 Does this mean they couldn't be used with a SHA-256 version of the subCA certificate? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
