On 07/19/17 05:10, Aaron Wu wrote:
- Tunisian Server Certificate Authority - TunServerCA2
https://crt.sh/?id=21813439 is a certificate issued by this CA which has a domain name in the common name but only an email address in the SAN. (The certificate has TLS server/client usage EKUs.)
https://crt.sh/?id=99182607 is a revoked certificate issued by this CA which has a domain name in the common name which does not match the domain name in the SAN, which is for a different TLD. (A new certificate with both names in SANs, https://crt.sh/?id=99462700 , has a notBefore which appears to have around the same timestamp as the revocation.)
https://crt.sh/?id=15126121 is an expired certificate (notBefore March 2016; notAfter March 2017) issued by this CA which has a wildcard name in the common name while the SAN contains specific domain names that would be covered by the wildcard only.
https://crt.sh/?id=10975511 is an expired certificate with a notBefore of Oct 2015 and notAfter of Oct 2016 issued by this CA with an iPAddress SAN of 127.0.0.1. (I believe that by 2014, the BRs prohibited issuing internal name certs with validity past November 2015.)
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
