On 1/25/16 12:22 AM, Charles Reiss wrote:
On 01/19/16 01:49, Charles Reiss wrote:
Via censys.io, I found a couple SHA-1 certs with notBefore dates from this year
which chain to root CAs in Mozilla's program:
[snip]
And here are a couple more, from different subCAs:
- https://crt.sh/?id=12131821 -- chaining to Deutsche Telekom Root CA 2
[T-Systems] via subCA "Shared Business CA 3"
I received email from Bernd of T-Systems saying that from 1 January
2016, 8 SHA‐1 subscriber certificates (SSL) were issued via sub-CA
"Shared Business CA 3" (chaining to “Deutsche Telekom Root CA 2”) –
because of converging use cases. Other T-Systems CAs were not affected.
The problem has been fixed, so SHA-1 certs can no longer be issued.
The 8 certs will be revoked on February 5 and the corresponding CRL will
be updated/published.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
