We conducted a search of our databases in September 2016, in which we examined every CN and SAN in every certificate still valid at the time. Each CN and SAN was examined to see if it contained no dot or an invalid DNS suffix; if so, the certificate was classified as an internal server cert and revoked. For all remaining CNs and SANs, those were checked against our internal list of TLDs built from information provided by ICANN and IANA. That list had a status value associated with each TLD, and our mistake was in excluding TLDs with certain status values.
Our scans conducted this week discovered three additional certificates that had not been revoked as of October 2016. These, and the certificate discovered by Nick, have now been revoked. Here are the links to those certificates: https://crt.sh/?sha256=A642406A2BDF92DF8C9FB9322A81736506DDED79A20A7CD33CBEFD2AD2581167 https://crt.sh/?sha256=12B3CCC45D66B9CB2206DEF1C5A24B062CCC938694C92A0806D1D34845C0FC19 https://crt.sh/?sha256=E90AFAE4998D2B8103058ADF35810D87CCE5E98A0E1D691D2A558A6A4E115BAC Thanks again to Nick for discovering this and pointing it out. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
