In reviewing the Certificate Transparency logs, I noticed the StartCom has issued multiple certificates with identical serial numbers and identical issuer names.
https://crt.sh/?serial=14DCA8 (2014-12-07) https://crt.sh/?serial=04FF5D653668DB (2015-01-05) https://crt.sh/?serial=052D14BA553ED0 (2015-02-07) https://crt.sh/?serial=05B42A4FE11129 (2015-05-17) https://crt.sh/?serial=0615C666E8C56E (2015-08-05) https://crt.sh/?serial=0693A7FCC84DD3 (2015-11-10) Each of these serial numbers has two distinct certificates with no apparent relation between the subject entities. These certificates do not appear to meet RFC 5280's requirements, which say: "The serial number MUST be a positive integer assigned by the CA to each certificate. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate)" (https://tools.ietf.org/html/rfc5280#section-4.1.2.2) Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy