I’ve found 54 additional unexpired unrevoked certificates that are known to CT and trusted by NSS containing dnsNames that are invalid. The errors include invalid characters, internal names, and wildcards in the wrong position.
The full list is here: https://misissued.com/batch/8/ There are a few threads from the past few weeks about similar certificates, but as far as I know none of the certificates on this list have been discovered yet. I’ve included a summary of the CCADB owners and intermediates at the end of this email. Jonathan — DigiCert (18) TI Trust Technologies Global CA (16) Justica (1) WellsSecure Certification Authority 01 G2 (1) DocuSign (OpenTrust/Keynectis) (10) CLASS 2 KEYNECTIS CA (8) KEYNECTIS SSL RGS (2) AC Camerfirma, S.A. (4) AC CAMERFIRMA AAPP (2) Camerfirma Corporate Server II - 2015 (2) Certinomis (4) Certinomis - Easy CA (2) Certinomis Serveurs et Equipements (2) Symantec / VeriSign (3) Symantec Class 3 Secure Server CA - G4 (2) Symantec Class 3 Secure Server SHA256 SSL CA (1) Visa Visa eCommerce Issuing CA (2) Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) EC-SectorPublic (2) Taiwan-CA Inc. (TWCA) TWCA Secure SSL Certification Authority (1) WoSign CA Limited StartCom Class 3 OV Server CA (1) CA Disig a.s. CA Disig R2I2 Certification Service (1) Actalis Actalis Authentication CA G3 (1) PROCERT PSCProcert (1) Comodo Intel External Basic Issuing CA 3B (1) Izenpe S.A. EAEko Herri Administrazioen CA - CA AAPP Vascas (2) (1) WISeKey WISeKey CertifyID Advanced Services CA 4 (1) T-Systems International GmbH (Deutsche Telekom) Uni-Osnabrueck RZ-CA G-002 (1) QuoVadis QuoVadis Global SSL ICA G2 (1) Symantec / GeoTrust RapidSSL SHA256 CA - G3 (1) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
