On 04/05/16 12:06, Rob Stradling wrote:
<snip>
I'm aiming to produce an (automatically updated) list of CA certificates
that are known to CT but are not (yet) in SalesForce.
As promised, here it is...
https://crt.sh/mozilla-disclosures
This entry is currently in the "Disclosed; Unknown to crt.sh" list:
Microsoft IT SSL SHA2 - 9aa9 Baltimore Baltimore CyberTrust Root
Microsoft Corporation Microsoft IT SSL SHA2
280D03194C3141D51152AC160FD1DF675BABFBDA
However, when I search for 280D03194C3141D51152AC160FD1DF675BABFBDA in
Salesforce, it brings up a record that actually seems to be for this
certificate (which crt.sh currently shows as "Undisclosed, but
disclosure is required!"):
https://crt.sh/?sha1=948e1652586240d453287ab69caeb8f2f4f02117
The "X.509 Certificate (PEM)" field in that Salesforce record contains
two copies of the 948e1652586240d453287ab69caeb8f2f4f02117 cert. This
might be what caused the wrong hash to be calculated.
IINM, it is (still) Mozilla's intention to eventually generate a
whitelist of disclosed intermediates, such that only whitelisted or
Technically Constrained intermediates will be trusted by Firefox. If
so, then errors of this sort could pose a significant problem at some
point in the future!
Ben: You might want to fix this record in Salesforce.
Kathleen: Is it possible to persuade Salesforce to validate the entered
data correctly, so that CAs are alerted when something like this happens?
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
