It would be better to use example.com and not test.com or anything like that, as that is defined by IANA as a reserved domain. ________________________________________ From: dev-security-policy <dev-security-policy-bounces+yuhongbao_386=hotmail....@lists.mozilla.org> on behalf of Inigo Barreira via dev-security-policy <dev-security-policy@lists.mozilla.org> Sent: Wednesday, May 31, 2017 9:21:00 AM To: patryk.szczyglow...@gmail.com; mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: StartCom issuing bogus certificates
Hi all, There´s been a misunderstanding internally when requested to create some "test" certificates as indicated in the Microsoft root program requirements as stated in 4b "Test URLs for each root, or a URL of a publicly accessible server that Microsoft can use to verify the certificates." but of course not this way. We will revoke them inmediately. Best regards Iñigo Barreira CEO StartCom CA Limited -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+inigo=startcomca....@lists.mozilla.org] On Behalf Of patryk.szczyglowski--- via dev-security-policy Sent: miércoles, 31 de mayo de 2017 17:45 To: mozilla-dev-security-pol...@lists.mozilla.org Subject: StartCom issuing bogus certificates Hello, My first post here. I just noticed StartCom have issued today couple obviously fake certificates: https://crt.sh/?id=146437565 Subject: commonName = ov organizationName = test localityName = Beijing stateOrProvinceName = Beijing countryName = Beijing serialNumber = 123456 X509v3 Subject Alternative Name: DNS:www.test.cn https://crt.sh/?id=146484676 Subject: commonName = iv givenName = Jeremy surname = Liao localityName = Beijing stateOrProvinceName = Beijing countryName = CN X509v3 Subject Alternative Name: DNS:www.test.cn https://crt.sh/?id=146517428 Subject: commonName = ov organizationName = test localityName = Beijing stateOrProvinceName = Beijing countryName = Beijing serialNumber = 123456 X509v3 Subject Alternative Name: DNS:www.test.cn I am well aware these certificates will not be accepted in Firefox/NSS, but because of the fact their root certificate is still in NSS trust store, there might be some interest in the community regarding obvious policy violation. Regards, Patryk Szczygłowski _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy