I think I fixed it by pasting in the right PEM. -----Original Message----- From: Rob Stradling [mailto:[email protected]] Sent: Monday, May 9, 2016 2:07 PM To: [email protected]; Ben Wilson <[email protected]> Subject: Data entry errors (was Re: Undisclosed CA certificates)
On 04/05/16 12:06, Rob Stradling wrote: <snip> >>> I'm aiming to produce an (automatically updated) list of CA >>> certificates that are known to CT but are not (yet) in SalesForce. > > As promised, here it is... > > https://crt.sh/mozilla-disclosures This entry is currently in the "Disclosed; Unknown to crt.sh" list: Microsoft IT SSL SHA2 - 9aa9 Baltimore Baltimore CyberTrust Root Microsoft Corporation Microsoft IT SSL SHA2 280D03194C3141D51152AC160FD1DF675BABFBDA However, when I search for 280D03194C3141D51152AC160FD1DF675BABFBDA in Salesforce, it brings up a record that actually seems to be for this certificate (which crt.sh currently shows as "Undisclosed, but disclosure is required!"): https://crt.sh/?sha1=948e1652586240d453287ab69caeb8f2f4f02117 The "X.509 Certificate (PEM)" field in that Salesforce record contains two copies of the 948e1652586240d453287ab69caeb8f2f4f02117 cert. This might be what caused the wrong hash to be calculated. IINM, it is (still) Mozilla's intention to eventually generate a whitelist of disclosed intermediates, such that only whitelisted or Technically Constrained intermediates will be trusted by Firefox. If so, then errors of this sort could pose a significant problem at some point in the future! Ben: You might want to fix this record in Salesforce. Kathleen: Is it possible to persuade Salesforce to validate the entered data correctly, so that CAs are alerted when something like this happens? -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
