On Wednesday, August 16, 2017 at 1:45:12 PM UTC-4, Jonathan Rudenberg wrote: > > On Aug 16, 2017, at 12:52, Jonathan Rudenberg via dev-security-policy > > <[email protected]> wrote: > > > > I looked through the CT logs and found 15 more unexpired unrevoked > > certificates that are trusted by NSS and appear to have the same inaccurate > > organizationName of “U.S. Government” for a non-USG entity. > > > > The list is here: https://misissued.com/batch/10/ > > > > Can you explain why your review missed these? Are there any more in > > addition to these 15 and previous 5? > > > > Jonathan > > After looking into this more, I’ve found that the majority of certificates > issued by the "IdenTrust ACES CA 2” and "IdenTrust ACES CA 1” intermediates > are not BR-compliant. > > The issues fall into three categories: > > 1) Certificates with HTTPS OCSP URLs > 2) Certificates with otherName SANs > 3) Certificates that appear to be intended as client certificates, but have > the anyExtendedKeyUsage EKU, putting them in scope for the Mozilla Root > Policy. > > I’ve found 33 certificates that have one or more of these issues that are > unexpired and unrevoked. > > Here is the full list: https://misissued.com/batch/11/ (note that it is a > superset of the batch I posted earlier today) > > Jonathan
In ref to "2) Certificates with otherName SANs above", we have identified 30 certificates with this issue that are also part of the same population of certificates with the https and o=US government issue. As indicated in the previous reports addressing the HTTP and o=US Government, we have corrected the ACES certificate profile and have been proactively contacting clients via email notifications and phone calls inviting them to replace those certificates. On August 31, 2017 at the latest, we will be making a decision regarding any outstanding certificates with this or with the other 2 issues and posting an update to the forum. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
