In reviewing the Certificate Transparency logs, I noticed the StartCom
has issued multiple certificates with identical serial numbers and
identical issuer names.

https://crt.sh/?serial=14DCA8 (2014-12-07)
https://crt.sh/?serial=04FF5D653668DB (2015-01-05)
https://crt.sh/?serial=052D14BA553ED0 (2015-02-07)
https://crt.sh/?serial=05B42A4FE11129 (2015-05-17)
https://crt.sh/?serial=0615C666E8C56E (2015-08-05)
https://crt.sh/?serial=0693A7FCC84DD3 (2015-11-10)

Each of these serial numbers has two distinct certificates with no
apparent relation between the subject entities.

These certificates do not appear to meet RFC 5280's requirements, which say:

   "The serial number MUST be a positive integer assigned by the CA to
   each certificate.  It MUST be unique for each certificate issued by a
   given CA (i.e., the issuer name and serial number identify a unique
   certificate)"
(https://tools.ietf.org/html/rfc5280#section-4.1.2.2)

Thanks,
Peter
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to