Tidying up broken/duplicate CCADB disclosures - SwissSign

Wed, 04 Jan 2017 04:35:41 -0800

Hi Kathleen. Happy New Year! This is the first of several messages I've been meaning to get around to writing for a month or two...
There are a number of broken and/or duplicate intermediate certificate disclosure records in the CCADB. It'd be really great if you could investigate and look into taking appropriate action to tidy them up. 


1.  Summary: Corrupted certificate signatures - SwissSign

Description: https://crt.sh/mozilla-disclosures#unknown shows 4 
disclosures for which the PEM certificate data is broken: the 
certificate signatures are empty and the TBSCertificate.signature 
algorithm OIDs are set to 0.0 !



Cross-checking certificate serial numbers and CCADB Certificate IDs 
suggests that these 4 broken disclosures might be corrupted duplicates 
of valid disclosures.  The 4 broken records are:


a. CertName: Trend Micro Gold CA
     Issuer: SwissSign Gold CA - G2
  CCADB URL: https://mozillacacommunity.force.com/001o000000xNwKs

b. CertName: AffirmTrust Networking
     Issuer: SwissSign Silver CA - G2
  CCADB URL: https://mozillacacommunity.force.com/001o000000xNLig

c. CertName: DOUGLAS Group CA - G1
     Issuer: SwissSign Silver CA - G2
  CCADB URL: https://mozillacacommunity.force.com/001o000000xNPUS

d. CertName: Trend Micro Silver CA
     Issuer: SwissSign Silver CA - G2
  CCADB URL: https://mozillacacommunity.force.com/001o000000xNw2G


Can you explain why the CCADB allowed these records to be created?  (I 
would expect CCADB to check the signature on each submitted intermediate 
cert!)



The notBefore/notAfter dates in some of these broken PEM certs don't 
match the notBefore/notAfter dates in the valid disclosure records that 
have the same CCADB Certificate IDs.  I don't know if this is due to (a) 
data entry error or if (b) SwissSign have (mis)issued intermediates with 
duplicate serial numbers.  (Hopefully it's (a) !)



The responses to the May 2014 CA Communication [1] led me to [2], but I 
could not find any of the broken or valid certs there.




[1] 
https://docs.google.com/spreadsheets/d/1v-Lrxo6mYlyrEli_wSpLsHZvV5dJ_vvSzLTAMfxI5n8/pubhtml


[2] https://swisssign.net/cgi-bin/authority/download

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy






















					Reply via email to