On Fri, Jan 29, 2016 at 4:43 PM, Kathleen Wilson <[email protected]> wrote:
> On 1/25/16 12:22 AM, Charles Reiss wrote: > >> On 01/19/16 01:49, Charles Reiss wrote: >> >>> Via censys.io, I found a couple SHA-1 certs with notBefore dates from >>> this year >>> which chain to root CAs in Mozilla's program: >>> >> [snip] >> >> And here are a couple more, from different subCAs: >> >> - https://crt.sh/?id=12131821 -- chaining to Deutsche Telekom Root CA 2 >> [T-Systems] via subCA "Shared Business CA 3" >> >> > > I received email from Bernd of T-Systems saying that from 1 January 2016, > 8 SHA‐1 subscriber certificates (SSL) were issued via sub-CA "Shared > Business CA 3" (chaining to “Deutsche Telekom Root CA 2”) – because of > converging use cases. Other T-Systems CAs were not affected. > The problem has been fixed, so SHA-1 certs can no longer be issued. > The 8 certs will be revoked on February 5 and the corresponding CRL will > be updated/published. > February 5th? Allow me to quote the BRs: """ 4.9.1.1 Reasons for Revoking a Subscriber Certificate The CA SHALL revoke a Certificate within 24 hours if one or more of the following occurs: ... The CA is made aware that the Certificate was not issued in accordance with these Requirements """ > > Thanks, > Kathleen > > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
