Symantec has an additional disclosure regarding internal name certificates valid after October 1. First, we disclose 3 certificates that remained valid after October 1 but expired prior to our previous report. Second, we disclose 3 certificates that were revoked as a result of our analysis but not included in our initial report.
The cause of both issues is the execution of a query to inform us what action needed to be taken within 24 hours. That result excluded revoked and expired certificates. This led to our initial report of additional certificates revoked along with the one reported to us by Nick Lamb. The specific cause of the additional revoked but not disclosed certificates is proactive effort by a team member to consult with two customers with relationship/enterprise accounts concurrent with other efforts to work with individual certificate owners. The revoked relationship/enterprise account certificates we disclose today were revoked prior to execution of the report and the report was used as the basis for our prior disclosure. Disclosure: https://crt.sh/?q=3518624 https://crt.sh/?q=78728901 https://crt.sh/?q=78728902 https://crt.sh/?q=78728903 https://crt.sh/?q=78728904 https://crt.sh/?q=78728905 > -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy- > [email protected]] On Behalf Of Rick > Andrews > Sent: Wednesday, January 11, 2017 10:26 AM > To: [email protected] > Subject: Re: Compliance with 7.1.4.2.1 (internal names revocation) > > We conducted a search of our databases in September 2016, in which we > examined every CN and SAN in every certificate still valid at the time. Each > CN and SAN was examined to see if it contained no dot or an invalid DNS > suffix; if so, the certificate was classified as an internal server cert and > revoked. For all remaining CNs and SANs, those were checked against our > internal list of TLDs built from information provided by ICANN and IANA. That > list had a status value associated with each TLD, and our mistake was in > excluding TLDs with certain status values. > > Our scans conducted this week discovered three additional certificates that > had not been revoked as of October 2016. These, and the certificate > discovered by Nick, have now been revoked. Here are the links to those > certificates: > > https://clicktime.symantec.com/a/1/zaK1Ry0U7rpBU7N7oUg8VKvELOYaomC > 6td_b_grLhtQ=?d=1Tjdh1nkBUvl3Ieoed4QOfdma64XoBtRI7P4FrBClOZzIPZC6 > gloJVNfUNg7YuoczOU1s5h2FQEikj_V4Ek5gom- > nUsaD5z1M_mr1BK_8M5KQx5C4M6oPnnIGHObc6tL3ilL07CqP7riK7XrmNexc > _jukzroGa-ablqJpuYEfAsJXEkYRZLKsjUdW5nvTQ8rdmamWA6T_- > 7CR8rpZFMtJ3OUHyIBvnFwqBIeteRjXzTHckwBBi3RZ8XQIlN8WokwyTFhO9otr > lKAPBNSs9Y_kKCnwrJ7cl_y7enkSqc8A4Fmu57zdPIvh1c4sxaFQEBSyPTztGqi1L > ai72GG1ArkQrZrGwBYvLscIjca4dTCi6JyGANQtcoumZ5Dzk6G4WK2SkVtDPMT > pZ9YT1Hr16bXatTxRll3mWVHnROQDbDnmyzKOC_1uYVyyZTfj_HYA90Z4htBg > MyBCz_rhfAbwqHhXd6ijIZdKd_pHhu_WA%3D%3D&u=https%3A%2F%2Fcrt. > sh%2F%3Fsha256%3DA642406A2BDF92DF8C9FB9322A81736506DDED79A20A > 7CD33CBEFD2AD2581167 > https://clicktime.symantec.com/a/1/0- > oGgxxfVZ5MoF1oKVElUpBOfhFQcamcIpg21Ex6nNI=?d=1Tjdh1nkBUvl3Ieoed > 4QOfdma64XoBtRI7P4FrBClOZzIPZC6gloJVNfUNg7YuoczOU1s5h2FQEikj_V4E > k5gom- > nUsaD5z1M_mr1BK_8M5KQx5C4M6oPnnIGHObc6tL3ilL07CqP7riK7XrmNexc > _jukzroGa-ablqJpuYEfAsJXEkYRZLKsjUdW5nvTQ8rdmamWA6T_- > 7CR8rpZFMtJ3OUHyIBvnFwqBIeteRjXzTHckwBBi3RZ8XQIlN8WokwyTFhO9otr > lKAPBNSs9Y_kKCnwrJ7cl_y7enkSqc8A4Fmu57zdPIvh1c4sxaFQEBSyPTztGqi1L > ai72GG1ArkQrZrGwBYvLscIjca4dTCi6JyGANQtcoumZ5Dzk6G4WK2SkVtDPMT > pZ9YT1Hr16bXatTxRll3mWVHnROQDbDnmyzKOC_1uYVyyZTfj_HYA90Z4htBg > MyBCz_rhfAbwqHhXd6ijIZdKd_pHhu_WA%3D%3D&u=https%3A%2F%2Fcrt. > sh%2F%3Fsha256%3D12B3CCC45D66B9CB2206DEF1C5A24B062CCC938694C92 > A0806D1D34845C0FC19 > https://clicktime.symantec.com/a/1/UzPJvyQ4_OFDb- > clEVONu_2vV6i20nAXDeD9Ur9jZvw=?d=1Tjdh1nkBUvl3Ieoed4QOfdma64Xo > BtRI7P4FrBClOZzIPZC6gloJVNfUNg7YuoczOU1s5h2FQEikj_V4Ek5gom- > nUsaD5z1M_mr1BK_8M5KQx5C4M6oPnnIGHObc6tL3ilL07CqP7riK7XrmNexc > _jukzroGa-ablqJpuYEfAsJXEkYRZLKsjUdW5nvTQ8rdmamWA6T_- > 7CR8rpZFMtJ3OUHyIBvnFwqBIeteRjXzTHckwBBi3RZ8XQIlN8WokwyTFhO9otr > lKAPBNSs9Y_kKCnwrJ7cl_y7enkSqc8A4Fmu57zdPIvh1c4sxaFQEBSyPTztGqi1L > ai72GG1ArkQrZrGwBYvLscIjca4dTCi6JyGANQtcoumZ5Dzk6G4WK2SkVtDPMT > pZ9YT1Hr16bXatTxRll3mWVHnROQDbDnmyzKOC_1uYVyyZTfj_HYA90Z4htBg > MyBCz_rhfAbwqHhXd6ijIZdKd_pHhu_WA%3D%3D&u=https%3A%2F%2Fcrt. > sh%2F%3Fsha256%3DE90AFAE4998D2B8103058ADF35810D87CCE5E98A0E1D6 > 91D2A558A6A4E115BAC > > Thanks again to Nick for discovering this and pointing it out. > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
