Thanks for this info. These Startcom certs were issued from the old system. We´ll contact the users and act accordingly.
Best regards Iñigo Barreira CEO StartCom CA Limited -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+inigo=startcomca....@lists.mozilla.org] On Behalf Of Charles Reiss via dev-security-policy Sent: jueves, 20 de julio de 2017 3:30 To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Certificate with invalid dnsName On 07/19/2017 06:03 PM, Tom wrote: > Following that discovery, I've search for odd (invalid?) DNS names. > Here is the list of certificated I've found, it may overlap some > discovery already reported. > If I'm correct, theses certificate are not revoked, not expired, and > probably trusted by Mozilla (crt.sh issuer are marked trusted by > Mozilla, but not all). Annotating these certs: > Starting with *: I believe this cert is presently untrusted by Mozilla due to revocation of all paths to the Federal PKI: > https://crt.sh/?id=7211484 *eis.aetc.af.mil chains to StartCom (and all of these from StartCom are minor compared to StartCom's other problems): > https://crt.sh/?id=10714112 *g10.net-lab.net chains to Baltimore CyberTrust Root (DigiCert): > https://crt.sh/?id=48682944 *nuvolaitaliana.it chains to StartCom: > https://crt.sh/?id=15736178 *assets.blog.cn.net.ru > https://crt.sh/?id=17295812 *dev02.calendar42.com > https://crt.sh/?id=15881220 *dev.1septem.ru > https://crt.sh/?id=15655700 *assets.blog.cn.net.ru > https://crt.sh/?id=17792808 *quickbuild.raptorengineering.io > > Starting with -: chains to QuoVadis: > https://crt.sh/?id=54285413 > -d1-datacentre-12g-console-2.its.deakin.edu.au chains to StartCom: > https://crt.sh/?id=78248795 -1ccenter.777chao.com > > Multiple *.: chains to QuoVadis: > https://crt.sh/?id=13299376 *.*.victoria.ac.nz I believe this cert is presently trusted by Mozilla only via a technically constrained subCA: > https://crt.sh/?id=44997156 *.*.rnd.unicredit.it chains to Swisscom: > https://crt.sh/?id=5982951 *.*.int.swisscom.ch > > Internals TLD: chains to Baltimore CyberTrust Root (DigiCert): > https://crt.sh/?id=33626750 a1.verizon.test I believe this cert is presently untrusted by Mozilla due to revocation of the relevant subCA: > https://crt.sh/?id=33123653 DAC38997VPN2001A.trmk.corp chains to Certplus (DocuSign): > https://crt.sh/?id=42475510 naccez.us.areva.corp I believe these presently lack an unrevoked, unexpired trust path in Mozilla: > https://crt.sh/?id=10621703 collaboration.intra.airbusds.corp > https://crt.sh/?id=48726306 zdeasaotn01.dsmain.ds.corp _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy