Thanks for this info. These Startcom certs were issued from the old system.
We´ll contact the users and act accordingly.

Best regards

Iñigo Barreira
CEO
StartCom CA Limited


-----Original Message-----
From: dev-security-policy
[mailto:dev-security-policy-bounces+inigo=startcomca....@lists.mozilla.org]
On Behalf Of Charles Reiss via dev-security-policy
Sent: jueves, 20 de julio de 2017 3:30
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Certificate with invalid dnsName

On 07/19/2017 06:03 PM, Tom wrote:
> Following that discovery, I've search for odd (invalid?) DNS names.
> Here is the list of certificated I've found, it may overlap some 
> discovery already reported.
> If I'm correct, theses certificate are not revoked, not expired, and 
> probably trusted by Mozilla (crt.sh issuer are marked trusted by 
> Mozilla, but not all).

Annotating these certs:

> Starting with *:

I believe this cert is presently untrusted by Mozilla due to revocation of
all paths to the Federal PKI:
> https://crt.sh/?id=7211484    *eis.aetc.af.mil

chains to StartCom (and all of these from StartCom are minor compared to 
StartCom's other problems):
> https://crt.sh/?id=10714112    *g10.net-lab.net

chains to Baltimore CyberTrust Root (DigiCert):
> https://crt.sh/?id=48682944    *nuvolaitaliana.it

chains to StartCom:
> https://crt.sh/?id=15736178    *assets.blog.cn.net.ru
> https://crt.sh/?id=17295812    *dev02.calendar42.com
> https://crt.sh/?id=15881220    *dev.1septem.ru
> https://crt.sh/?id=15655700    *assets.blog.cn.net.ru
> https://crt.sh/?id=17792808    *quickbuild.raptorengineering.io


> 
> Starting with -:

chains to QuoVadis:
> https://crt.sh/?id=54285413    
> -d1-datacentre-12g-console-2.its.deakin.edu.au

chains to StartCom:
> https://crt.sh/?id=78248795    -1ccenter.777chao.com


> 
> Multiple *.:

chains to QuoVadis:
> https://crt.sh/?id=13299376    *.*.victoria.ac.nz

I believe this cert is presently trusted by Mozilla only via a 
technically constrained subCA:
> https://crt.sh/?id=44997156    *.*.rnd.unicredit.it

chains to Swisscom:
> https://crt.sh/?id=5982951    *.*.int.swisscom.ch


> 
> Internals TLD:

chains to Baltimore CyberTrust Root (DigiCert):
> https://crt.sh/?id=33626750    a1.verizon.test

I believe this cert is presently untrusted by Mozilla due to revocation 
of the relevant subCA:
> https://crt.sh/?id=33123653    DAC38997VPN2001A.trmk.corp

chains to Certplus (DocuSign):
> https://crt.sh/?id=42475510    naccez.us.areva.corp

I believe these presently lack an unrevoked, unexpired trust path in 
Mozilla:
> https://crt.sh/?id=10621703    collaboration.intra.airbusds.corp
> https://crt.sh/?id=48726306    zdeasaotn01.dsmain.ds.corp
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to