> On Aug 16, 2017, at 12:52, Jonathan Rudenberg via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > I looked through the CT logs and found 15 more unexpired unrevoked > certificates that are trusted by NSS and appear to have the same inaccurate > organizationName of “U.S. Government” for a non-USG entity. > > The list is here: https://misissued.com/batch/10/ > > Can you explain why your review missed these? Are there any more in addition > to these 15 and previous 5? > > Jonathan
After looking into this more, I’ve found that the majority of certificates issued by the "IdenTrust ACES CA 2” and "IdenTrust ACES CA 1” intermediates are not BR-compliant. The issues fall into three categories: 1) Certificates with HTTPS OCSP URLs 2) Certificates with otherName SANs 3) Certificates that appear to be intended as client certificates, but have the anyExtendedKeyUsage EKU, putting them in scope for the Mozilla Root Policy. I’ve found 33 certificates that have one or more of these issues that are unexpired and unrevoked. Here is the full list: https://misissued.com/batch/11/ (note that it is a superset of the batch I posted earlier today) Jonathan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy