> On Aug 10, 2017, at 07:55, Fiedler, Arno via dev-security-policy 
> <dev-security-policy@lists.mozilla.org> wrote:
> Hello Jonathan,
> the certificate has 64 bits of entropy in the "DNqualifier" field instead of 
> the serial number field. 
> Since 2012 we used this way of adding random bits to certificates to mitigate 
>  preimage attacks
> From a security perspective the amount of Entropy in the certificate should 
> be reasonable.
> Do you see a security need for revoking the certificate?

1) The dnQualifier appears to have a 33-bit number, not a 64-bit number.

2) One of the SAN dnsNames is "www.lbv-gis.brandenburg.de/lbvagszit”, which is 
clearly invalid.

3) The Baseline Requirements are extremely clear about this:

> The CA SHALL revoke a Certificate within 24 hours if one or more of the 
> following occurs:
> […]
> 9. The CA is made aware that the Certificate was not issued in accordance 
> with these Requirements or the CA’s Certificate Policy or Certification 
> Practice Statement;

So yes, I believe this certificate needs to be revoked immediately. It should 
have been revoked within 24 hours of learning about it. I believe July 20th was 
the latest date that you could have learned about it, when Gerv sent a 
notification to you.
dev-security-policy mailing list

Reply via email to