Thank you, Charles and Tom, for bringing this to the forefront.  We have
contacted the cross-signed partner and asked for an explanation. We've also
demanded revocation within 24 hours and a full scan to determine whether any
other certificates exist.  


-----Original Message-----
From: dev-security-policy
.org] On Behalf Of Charles Reiss via dev-security-policy
Sent: Wednesday, July 19, 2017 7:02 PM
Subject: Re: Certificate with invalid dnsName

On 07/19/2017 06:03 PM, Tom wrote:
> Following that discovery, I've search for odd (invalid?) DNS names.
> Here is the list of certificated I've found, it may overlap some 
> discovery already reported.
> If I'm correct, theses certificate are not revoked, not expired, and 
> probably trusted by Mozilla ( issuer are marked trusted by 
> Mozilla, but not all).

Some additional problematic certs:

chains to Swisscom:  wxadm.swissucc.local

chains to CATCert, notBefore in 2017:   maritim4.mmaritim.local

chains to PROCERT, notBefore in 2017:  fospuca.local

chains to Baltimore Cybertrust Root (DigiCert):   lorweb.local

chains to Baltimore Cybertrust Root (DigiCert), notBefore in 2017:  skbfep01.justica.local  energy.ctd  and  pt

chains to QuoVadis, notBefore in 2017:  (swapped -/.)

chains to DocuSign, notBefore in 2017:   " " (trailing space)
dev-security-policy mailing list

Attachment: smime.p7s
Description: S/MIME cryptographic signature

dev-security-policy mailing list

Reply via email to