We revoked the affected certificate immediately. One of our customers issued a S/MIME certificate (SHA-1) to misuse as gateway certificate. That's the reason, why this certificate was identified as incorrect TLS Server certificate (ERROR: SHA-1 not allowed for signing certificates). We specified in our CP/CPS that this practice is not allowed.
We will improve the verification mechanisms to prevent this kind of abuse in the future. Bernd Nakonzer T-Systems International GmbH Trust Center Applications -----Ursprüngliche Nachricht----- Von: dev-security-policy [mailto:dev-security-policy-bounces+bernd.nakonzer=t-systems....@lists.mozilla.org] Im Auftrag von Charles Reiss Gesendet: Montag, 9. Mai 2016 21:40 An: [email protected] Betreff: Re: March 2016 CA Communication Responses On 04/13/16 20:32, Kathleen Wilson wrote: > All, > > I have added links to reports of the responses to the March 2016 CA > Communication survey: > > https://wiki.mozilla.org/CA:Communications#March_2016_Responses For the responses to Question 1a: DocuSign (OpenTrust/Keynectis) indicated 2015 Dec 31 but the following certificate has a notBefore of 10 Feb 2016 and, according to its CRL, was revoked 11 Feb 2016: - https://crt.sh/?id=16157906&opt=cablint Government of France indicated by 2015 Dec 31 but the following certificate has notBefores of 11 Jan 2016 and 18 April 2016: - https://crt.sh/?id=12129393&opt=cablint - https://crt.sh/?id=18777122&opt=cablint SECOM indicated 2015 Dec 31 but the following certificate as a notBefore of 7 Jan 2016: - https://crt.sh/?id=12090324&opt=cablint T-Systems International GmbH (Deutsche Telekom) indicated 2016 Jan 15 with "revoked: 02/02/2016" in the comment, but the following certificate has a notBefore of 9 March 2016: - https://crt.sh/?id=15019496&opt=cablint For the responses to Question 4: Government of France indicated "None of the above", but the following certificates include the id-kp-serverAuth EKU but no dNSName or iPAddress SAN: - https://crt.sh/?id=12129393&opt=cablint - https://crt.sh/?id=18777122&opt=cablint Government of Hong Kong (SAR) indicated "None of the above", but these certificates (which chain to Hongkong Post Root CA 1) are lacking SAN entries and appear to be intended for TLS server usage: - https://crt.sh/?id=16024471&opt=cablint - https://crt.sh/?id=12114285&opt=cablint > > Please keep in mind that the responses are considered preliminary and > may be changed until April 22, 2016. And remember that up until about > 2010, some CAs were issuing 10 year TLS/SSL certificates, so this may > cause some consternation regarding responses to ACTION #1b. > > Also, I still need to add the new "ACTION 1a TEXT INPUT" and "ACTION > 1b TEXT INPUT" data to the reports. > > Thanks, Kathleen > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
