On Wednesday, August 16, 2017 at 1:45:12 PM UTC-4, Jonathan Rudenberg wrote: > > On Aug 16, 2017, at 12:52, Jonathan Rudenberg via dev-security-policy > > <dev-security-policy@lists.mozilla.org> wrote: > > > > I looked through the CT logs and found 15 more unexpired unrevoked > > certificates that are trusted by NSS and appear to have the same inaccurate > > organizationName of “U.S. Government” for a non-USG entity. > > > > The list is here: https://misissued.com/batch/10/ > > > > Can you explain why your review missed these? Are there any more in > > addition to these 15 and previous 5? > > > > Jonathan > > After looking into this more, I’ve found that the majority of certificates > issued by the "IdenTrust ACES CA 2” and "IdenTrust ACES CA 1” intermediates > are not BR-compliant. > > The issues fall into three categories: > > 1) Certificates with HTTPS OCSP URLs > 2) Certificates with otherName SANs > 3) Certificates that appear to be intended as client certificates, but have > the anyExtendedKeyUsage EKU, putting them in scope for the Mozilla Root > Policy. > > I’ve found 33 certificates that have one or more of these issues that are > unexpired and unrevoked. > > Here is the full list: https://misissued.com/batch/11/ (note that it is a > superset of the batch I posted earlier today) > > Jonathan Hello, In reference to 3)"Certificates that appear to be intended as client certificates, but have the anyExtendedKeyUsage EKU, putting them in scope for the Mozilla Root Policy." The following 6 client certificates that have been identified as server certificates and have been flagged as non-compliant. However, these certificates do not contain FQDN, IP Address, nor ‘TLS Web Server Authentication’ EKU. As such in order for us to proceed with our analysis and determine if any remediation is required, we need clarification in the exact nature of non-compliance as it relates to Mozilla Root Policy or CAB Forum Baseline Requirement (ideally with pointer to the specific requirement in the corresponding documents).
https://crt.sh/?id=157944459 https://crt.sh/?id=157944592 https://crt.sh/?id=157944616 https://crt.sh/?id=157944549 https://crt.sh/?id=157944611 https://crt.sh/?id=157944466 Thanks _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
