Hello: Thanks for pointing these out. Regarding the two problematic certificates noted below chained to QuoVadis:
Changes were made to our systems last year dealing these very issues, and it appears that these remaining certificates were not revoked. They will now be revoked. Leading hyphens and reallywildcards are now rejected by our systems. Regards, Stephen QuoVadis -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+s.davidson=quovadisglobal....@lists.mozi lla.org] On Behalf Of Charles Reiss via dev-security-policy Sent: Wednesday, July 19, 2017 10:30 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Certificate with invalid dnsName On 07/19/2017 06:03 PM, Tom wrote: > Following that discovery, I've search for odd (invalid?) DNS names. > Here is the list of certificated I've found, it may overlap some > discovery already reported. > If I'm correct, theses certificate are not revoked, not expired, and > probably trusted by Mozilla (crt.sh issuer are marked trusted by > Mozilla, but not all). Annotating these certs: > Starting with *: I believe this cert is presently untrusted by Mozilla due to revocation of all paths to the Federal PKI: > https://crt.sh/?id=7211484 *eis.aetc.af.mil chains to StartCom (and all of these from StartCom are minor compared to StartCom's other problems): > https://crt.sh/?id=10714112 *g10.net-lab.net chains to Baltimore CyberTrust Root (DigiCert): > https://crt.sh/?id=48682944 *nuvolaitaliana.it chains to StartCom: > https://crt.sh/?id=15736178 *assets.blog.cn.net.ru > https://crt.sh/?id=17295812 *dev02.calendar42.com > https://crt.sh/?id=15881220 *dev.1septem.ru > https://crt.sh/?id=15655700 *assets.blog.cn.net.ru > https://crt.sh/?id=17792808 *quickbuild.raptorengineering.io > > Starting with -: chains to QuoVadis: > https://crt.sh/?id=54285413 > -d1-datacentre-12g-console-2.its.deakin.edu.au chains to StartCom: > https://crt.sh/?id=78248795 -1ccenter.777chao.com > > Multiple *.: chains to QuoVadis: > https://crt.sh/?id=13299376 *.*.victoria.ac.nz I believe this cert is presently trusted by Mozilla only via a technically constrained subCA: > https://crt.sh/?id=44997156 *.*.rnd.unicredit.it chains to Swisscom: > https://crt.sh/?id=5982951 *.*.int.swisscom.ch > > Internals TLD: chains to Baltimore CyberTrust Root (DigiCert): > https://crt.sh/?id=33626750 a1.verizon.test I believe this cert is presently untrusted by Mozilla due to revocation of the relevant subCA: > https://crt.sh/?id=33123653 DAC38997VPN2001A.trmk.corp chains to Certplus (DocuSign): > https://crt.sh/?id=42475510 naccez.us.areva.corp I believe these presently lack an unrevoked, unexpired trust path in Mozilla: > https://crt.sh/?id=10621703 collaboration.intra.airbusds.corp > https://crt.sh/?id=48726306 zdeasaotn01.dsmain.ds.corp _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy