TWCA had revoked the miss-issued certificate.
Kathleen Wilson於 2017年8月16日星期三 UTC+8上午3時38分11秒寫道: > All, > > I have gone through the July/August posts in m.d.s.policy in order to > determine which Bugzilla Bugs I should file. > > There are two outliers: > ~~ > ** Undisclosed intermediates, or those missing audits > I have been working diligently on intermediate cert disclosures in the CCADB > for many months now. I greatly appreciate the web pages that Rob Stradling > created to help me with this effort!!! > This has also included work on adding revoked intermediate certs to OneCRL, > and I hope the other major root store operators will catch up on this: > https://crt.sh/revoked-intermediates > Anyways, I have been working on those separately and in contact with those > CAs, so I do not plan to file separate bugs, beyond what I have already done > or am doing. > > ** Common Name not in SAN > https://groups.google.com/d/msg/mozilla.dev.security.policy/K3sk5ZMv2DE/4oVzlN1xBgAJ > It is not clear to me if I need to add this item to the Bugzilla Bugs that I > will be filing. Please let me know if you think I need to add this item to > the bugs. > ~~ > > > Here’s a summary of the bugs that I plan to file as a result of the recent > activity in m.d.s.policy. (one bug per CA listed below) > > My expectation is that the CAs will provide the following information in > their bugs: > 1) Confirmation that the CA has stopped issuance of certs with these problems. > 2) Explanation about how/why the mistakes were made, and not caught/fixed > earlier. > 3) List of steps the CA is taking to resolve the situation and ensure such > issuance will not be repeated in the future, accompanied with a timeline of > when the CA expects to accomplish these things. > 4) Updates to confirm when those steps have been completed. > > I do *NOT* necessarily expect the CAs to revoke all of these certificates. I > expect the CAs to do a careful analysis of the situation and > determine/explain whether or not they will revoke the certs or let the > expire. If the choice is to let them expire, there needs to be good reasons > and a timeline for when the bulks of certs will expire. We (Mozilla > community) will evaluate such information and provide constructive feedback, > and I or Gerv will add a comment in the bug to confirm if the plan (when not > revoking) is acceptable, or to state if we/Mozilla will require revocation. > > Thanks, > Kathleen > > == Actalis == > > Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in > the wrong position) > https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ > https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ > > == Camerfirma == > > Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in > the wrong position) > https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ > https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ > > URI in dNSName SAN > https://groups.google.com/d/msg/mozilla.dev.security.policy/etp2Yz2fmM4/ayBTsfJnBgAJ > > > == Certinomis == > > Invalidly long serial numbers (Serial Number > 20 Octets) > https://groups.google.com/d/msg/mozilla.dev.security.policy/b33_4CyJbWI/74sItqcvBgAJ > > Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in > the wrong position) > https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ > https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ > > == certSIGN == > > Invalid common name and invalid SAN dnsName > https://groups.google.com/d/msg/mozilla.dev.security.policy/ETG72kifv4k/2BD-CVDDAAAJ > > == Comodo == > > Certificates with metadata-only subject fields (at least one subject field > that only contains ASCII punctuation characters) > https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ > Prevent further issuance of certs with N/A and other metadata but revocation > not necessary in this case. > > Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in > the wrong position) > https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ > https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ > > == Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) == > > Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in > the wrong position) > https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ > https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ > > == D-TRUST == > > dNSName containing '/' > https://groups.google.com/d/msg/mozilla.dev.security.policy/vl5eq0PoJxY/uD-Li1w1BgAJ > > Short / sequential-looking serial numbers > https://groups.google.com/d/msg/mozilla.dev.security.policy/vl5eq0PoJxY/uD-Li1w1BgAJ > https://groups.google.com/d/msg/mozilla.dev.security.policy/YequotPYLdc/J0K3lUyzBwAJ > RESOLUTION: > https://groups.google.com/d/msg/mozilla.dev.security.policy/UnR98QjWQQs/O-Hf5T4WBwAJ > > > == DigiCert == > (Bug #1389172 already created by Jeremy - for the first 3 items below) > > Certificates with metadata-only subject fields (at least one subject field > that only contains ASCII punctuation characters) > https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ > Prevent further issuance of certs with N/A and other metadata but revocation > not necessary in this case. > > Invalidly long serial numbers (Serial Number > 20 Octets) > https://groups.google.com/d/msg/mozilla.dev.security.policy/b33_4CyJbWI/74sItqcvBgAJ > > Serial Numbers less than 64-bit entropy > https://groups.google.com/d/msg/mozilla.dev.security.policy/YequotPYLdc/J0K3lUyzBwAJ > > Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in > the wrong position) > https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ > https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ > https://groups.google.com/d/msg/mozilla.dev.security.policy/5bpr9yBgaYo/rJLOz0XPBQAJ > > Reserved IP addresses > https://groups.google.com/d/msg/mozilla.dev.security.policy/inocepURbNQ/MmkeMvhyCAAJ > > > == Disig == > > Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in > the wrong position) > https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ > https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ > > == DocuSign == > > Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in > the wrong position) > https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ > https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ > > == Entrust == > > Certificates with metadata-only subject fields (at least one subject field > that only contains ASCII punctuation characters) > https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ > Prevent further issuance of certs with N/A and other metadata but revocation > not necessary in this case. > > > == FNMT == > > "AC FNMT Usuarios” intermediate is not supposed to issue TLS server auth > capable certs. [KATHLEEN: Add to OneCRL] > https://groups.google.com/d/msg/mozilla.dev.security.policy/Qo1ZNwlYKnY/UrAodnoQBwAJ > > == GlobalSign == > > Certificates with metadata-only subject fields (at least one subject field > that only contains ASCII punctuation characters) > https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ > Prevent further issuance of certs with N/A and other metadata but revocation > not necessary in this case. > > == Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) == > > Serial Numbers less than 64-bit entropy > https://groups.google.com/d/msg/mozilla.dev.security.policy/YequotPYLdc/J0K3lUyzBwAJ > > > == IdenTrust == > > pathLenConstraint with CA:FALSE > https://groups.google.com/d/msg/mozilla.dev.security.policy/1q_aq5e0El4/LmfGUDmHBwAJ > > OCSP responder URL that has a HTTPS URI > https://groups.google.com/d/msg/mozilla.dev.security.policy/jSHuE-Oc7rY/660iCGPZBgAJ > > == Izenpe == > > Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in > the wrong position) > https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ > https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ > > Serial Numbers less than 64-bit entropy > https://groups.google.com/d/msg/mozilla.dev.security.policy/YequotPYLdc/J0K3lUyzBwAJ > > == Keynectis == > > Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in > the wrong position) > https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ > https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ > > > == Let’s Encrypt == > > Improperly normalized IDNs > https://groups.google.com/d/msg/mozilla.dev.security.policy/g6_zGA2exXw/izYkdc7DBwAJ > RESOLUTION: > https://groups.google.com/d/msg/mozilla.dev.security.policy/nMxaxhYb_iY/AmjCI3_ZBwAJ > > > == Microsec == > > Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in > the wrong position) > https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ > https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ > > > == Netlock == > > Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in > the wrong position) > https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ > https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ > > > == PROCERT == > > Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in > the wrong position) > https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ > https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ > > URI in dNSName SAN > https://groups.google.com/d/msg/mozilla.dev.security.policy/etp2Yz2fmM4/ayBTsfJnBgAJ > > Reserved IP addresses > https://groups.google.com/d/msg/mozilla.dev.security.policy/inocepURbNQ/MmkeMvhyCAAJ > > > == QuoVadis == > > Certificates with metadata-only subject fields (at least one subject field > that only contains ASCII punctuation characters) > https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ > Prevent further issuance of certs with N/A and other metadata but revocation > not necessary in this case. > > Short / sequential-looking serial numbers > https://groups.google.com/d/msg/mozilla.dev.security.policy/vl5eq0PoJxY/uD-Li1w1BgAJ > https://groups.google.com/d/msg/mozilla.dev.security.policy/YequotPYLdc/J0K3lUyzBwAJ > > Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in > the wrong position) > https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ > https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ > > == SECOM == > > Certificates with metadata-only subject fields (at least one subject field > that only contains ASCII punctuation characters) > https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ > Prevent further issuance of certs with N/A and other metadata but revocation > not necessary in this case. > > == StartCom == > > Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in > the wrong position) > https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ > https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ > > > == Staat der Nederlandend / PKIoverheid == > > Short / sequential-looking serial numbers > https://groups.google.com/d/msg/mozilla.dev.security.policy/vl5eq0PoJxY/uD-Li1w1BgAJ > https://groups.google.com/d/msg/mozilla.dev.security.policy/YequotPYLdc/J0K3lUyzBwAJ > RESOLUTION: > https://groups.google.com/d/msg/mozilla.dev.security.policy/vl5eq0PoJxY/W1D4oZ__BwAJ > > > == SwissSign == > > Certificates with metadata-only subject fields (at least one subject field > that only contains ASCII punctuation characters) > https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ > Prevent further issuance of certs with N/A and other metadata but revocation > not necessary in this case. > > > == Symantec == > > Certificates with metadata-only subject fields (at least one subject field > that only contains ASCII punctuation characters) > https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ > Prevent further issuance of certs with N/A and other metadata but revocation > not necessary in this case. > > Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in > the wrong position) > https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ > https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ > > == Taiwan-CA Inc. (TWCA) == > > Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in > the wrong position) > https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ > https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ > > == T-Systems == > > Certificates with metadata-only subject fields (at least one subject field > that only contains ASCII punctuation characters) > https://groups.google.com/d/msg/mozilla.dev.security.policy/Sae5lpT02Ng/-lsC11JnBwAJ > Prevent further issuance of certs with N/A and other metadata but revocation > not necessary in this case. > > Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in > the wrong position) > https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ > https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ > > == Visa == > > Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in > the wrong position) > https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ > https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ > > == WISeKey == > > Invalid dnsNames (e.g. invalid characters, internal names, and wildcards in > the wrong position) > https://groups.google.com/d/msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ > https://groups.google.com/d/msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ > > == _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
