※個人情報保護のため、宛先を非表示(BCC)にて送信しています。 -----------------------------------------------------
Paul-san, Thank you for the notice. We are going to investigate on this matter. Best regards, Hisashi Kamo Secom Trust Systems > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+h-kamo=secom.co...@lists.mozilla.org] On > Behalf Of Paul Kehrer > via dev-security-policy > Sent: Thursday, August 31, 2017 10:02 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Violations of Baseline Requirements 4.9.10 > > I have updated the list below to try to capture all the information provided > in this thread about which responders have been > fixed (and verified using another random serial number), which ones have a > date, and removed the ones that are actually under > technical constraint that I missed. > > I have received several responses from CAs that were CC'd informing me that > they are investigating but until the issues are > resolved or I have a date for resolution I have not noted those > communications below. > > > AS Sertifitseerimiskeskuse (SK) > > CCADB does not list an email address. Not CC'd. > > DN: C=EE, O=AS Sertifitseerimiskeskus, CN=EE Certification Centre Root CA, > emailAddress=p...@sk.ee Example cert: > https://crt.sh/?q=74d992d3910bcf7e34b8b5cd28f91eaeb4f41f3da6394d78b8c43672d43f4f0f > OCSP URI: http://ocsp.sk.ee/CA > > Autoridad de Certificacion Firmaprofesional > > Email sent to i...@firmaprofesional.com > > DN: C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068 > Example cert: > https://crt.sh/?q=cd74198d4c23e4701dea579892321b9e4f47a08bd8374710b899aad1495a4b35 > OCSP URI: http://ocsp.firmaprofesional.com > > DN: C=ES, emailAddress=c...@firmaprofesional.com, L=C/ Muntaner 244 > Barcelona, OU=Consulte http://www.firmaprofesional.com, > OU=Jerarquia de Certificacion Firmaprofesional, O=Firmaprofesional S.A. NIF > A-62634068, CN=AC Firmaprofesional - CA1 Example > cert: > https://crt.sh/?q=649d5190f9fff58de60313c2f0598393f9dba05368b1dbfe93ec806015fb8796 > OCSP URI: http://ocsp.firmaprofesional.com > > DN: C=ES, O=Firmaprofesional SA, OU=Certificados Digitales para la > Administracion Publica, serialNumber=A62634068, CN=AC > Firmaprofesional - AAPP Example cert: > https://crt.sh/?q=d4ef928ee32c3838d40e5756b523829b1dafcd46fd84428ba03d59330a4ae5e7 > OCSP URI: http://ocsp.firmaprofesional.com > > CA Disig a.s. > > Email sent to tspnot...@disig.sk > > DN: C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig R1I1 Certification Service > Example cert: > https://crt.sh/?q=da74b18f3651bf90a8b2c07f8df294de19e441dcaa6913627261752199c302a2 > OCSP URI: http://subcar1i1-ocsp.disig.sk/ocsp/subcar1i1 > > DN: C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig R2I2 Certification Service > Example cert: > https://crt.sh/?q=1a088e912ddb15a3b52ab1396af2a1ce0dcfab170e007e551f63231c76975417 > OCSP URI: http://subcar2i2-ocsp.disig.sk/ocsp/subcar2i2 > > DN: C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R1 Example cert: > https://crt.sh/?q=e1abb0faeaa7312f2c3e041cbd2df03a507e346b9716442463ed61106aff6947 > OCSP URI: http://rootcar1-ocsp.disig.sk/ocsp/rootcar1 > > DN: C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R2 Example cert: > https://crt.sh/?q=239ffa86d71033ba255914782057d87e8421aedd5910b786928b6a1248c3e341 > OCSP URI: http://rootcar2-ocsp.disig.sk/ocsp/rootcar2 > > certSIGN > > Email sent to off...@certsign.ro > > DN: C=RO, O=certSIGN, OU=certSIGN Enterprise CA Class 3 G2, CN=certSIGN > Enterprise CA Class 3 G2 Example cert: > https://crt.sh/?q=98ab1983ae9f6a6116e5010e3ab2b1b0bf266fa205a140b1bc1d340ff4ff6355 > OCSP URI: http://ocsp.certsign.ro > Notes: This is fixed as of 2017-08-31 > > DN: C=RO, O=certSIGN, OU=certSIGN ROOT CA Example cert: > https://crt.sh/?q=3003bf8853427c7b91023f7539853d987c58dc4e11bbe047d2a9305c01a6152c > OCSP URI: http://ocsp.certsign.ro > Notes: Per Cristian Garabet this will be resolved 2017-09-15 > > Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) > > CCADB does not list an email address. Not CC'd. > > DN: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), L=Passatge de > la Concepcio 11 08008 Barcelona, OU=Serveis Publics > de Certificacio ECV-2, OU=Vegeu https://www.catcert.net/verCIC-2 (c)03, > OU=Administracions Locals de Catalunya, CN=EC-AL > Example cert: > https://crt.sh/?q=88f6298c5a8cc66cefb8ea214a528c3efce36a26213fe4fd260613967d39e7d4 > OCSP URI: http://ocsp.catcert.net > > DN: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), L=Passatge de > la Concepcio 11 08008 Barcelona, OU=Serveis Publics > de Certificacio ECV-2, OU=Vegeu https://www.catcert.net/verCIC-2 (c)03, > OU=Administracions Locals de Catalunya, CN=EC-AL > Example cert: > https://crt.sh/?q=1869a83f83b8f034336ab09fe52563c00c80c4b45897b3ea15e658fd14306208 > OCSP URI: http://ocsp.catcert.net > > DN: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), L=Passatge de > la Concepcio 11 08008 Barcelona, OU=Serveis Publics > de Certificacio > ECV-2, OU=Vegeu https://www.catcert.net/verCIC-2 (c)03, OU=Secretaria > d'Administracio i Funcio Publica, CN=EC-SAFP Example cert: > https://crt.sh/?q=15d3c7463f477e2627c4c9a158e429abd6bfe63101d6745560a36d1c03363d30 > OCSP URI: http://ocsp.catcert.net > > DN: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), L=Passatge de > la Concepcio 11 08008 Barcelona, OU=Serveis Publics > de Certificacio ECV-2, OU=Vegeu https://www.catcert.net/verCIC-2 (c)03, > OU=Universitats i Recerca, CN=EC-UR Example cert: > https://crt.sh/?q=7432b4c29e1360668814ec282ad78208cd521e62b8d8d60d5084fdf8daad57cb > OCSP URI: http://ocsp.catcert.net > > DN: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), L=Passatge de > la Concepcio 11 08008 Barcelona, OU=Serveis Publics > de Certificacio ECV-2, OU=Vegeu https://www.catcert.net/verCIC-2 (c)03, > OU=Universitats i Recerca, CN=EC-UR Example cert: > https://crt.sh/?q=3148d57a495fd7bdf4653dfdd3d3c9d186547df42e296c4e1b6a7c679179d03f > OCSP URI: http://ocsp.catcert.net > > DN: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), L=Passatge de > la Concepcio 11 08008 Barcelona, OU=Serveis Publics > de Certificacio, OU=Vegeu https://www.catcert.net/verCIC-3 (c)05, > OU=Universitat Rovira i Virgili, CN=EC-URV Example cert: > https://crt.sh/?q=caa2a1fe7756bd5e227add40c5e06808dc0a79f1e8c93e4bf982df4893b284e4 > OCSP URI: http://ocsp.catcert.net > > DN: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis > Publics de Certificacio, OU=Vegeu > https://www.catcert.net/verarrel (c)03, OU=Jerarquia Entitats de Certificacio > Catalanes, CN=EC-ACC Example cert: > https://crt.sh/?q=356a5f4d994e9efa7caefc491768911d65ec25977465b610e2f29aa4472631c3 > OCSP URI: http://ocsp.catcert.net > > DN: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis > Publics de Certificacio, OU=Vegeu > https://www.catcert.net/verarrel (c)03, OU=Jerarquia Entitats de Certificacio > Catalanes, CN=EC-ACC Example cert: > https://crt.sh/?q=20d082b1f53252e33cee5991be8650b414f11f3af16a14295c2fee0c9ab558c2 > OCSP URI: http://ocsp.catcert.net > > DigiCert: > > Email sent to rev...@digicert.com > > > DN: C=CH, L=Zurich, O=ABB, CN=ABB Issuing CA 6 Example cert: > https://crt.sh/?id=16963460 OCSP URI: http://aia.pki.abb.com/ocsp > Notes: This CA is technically constrained via NC except under IPv6. The BRs > require IPv6 exclusion to be considered constrained > so I believe this is still an issue at this time. > > DN: CN=Cartão de Cidadão 001, OU=ECEstado, O=SCEE - Sistema de Certificação > Electrónica do Estado, C=PT Example cert: > https://crt.sh/?id=12729446 OCSP URI: > http://ocsp.root.cartaodecidadao.pt/publico/ocsp > Notes: Per Ben Wilson this CA only issues client certificates. It is, > however, trusted for serverAuth. > > DN: C=PT, O=MULTICERT - Serviços de Certificação Electrónica S.A., > OU=Accredited Certification Authority, CN=MULTICERT > Certification Authority > 002 > Example cert: https://crt.sh/?id=117934576 OCSP URI: > http://ocsp.multicert.com/ocsp OCSP URI: http://ocsp.multicert.com/procsp > > DN: C=PT, O=MULTICERT - Serviços de Certificação Electrónica S.A., > OU=Entidade de Certificação Credenciada, CN=MULTICERT - > Entidade de Certificação 001 Example cert: https://crt.sh/?id=11653177 OCSP > URI: http://ocsp.multicert.com/ocsp > > DN: DC=com, DC=sanpaoloimi, DC=corp, CN=Intesa Sanpaolo CA Servizi Esterni > Example cert: https://crt.sh/?id=10915119 OCSP URI: > http://ocsp.intesasanpaolo.com > > DN: DC=com, DC=sanpaoloimi, DC=corp, CN=Intesa Sanpaolo CA Servizi Esterni > Enhanced Example cert: https://crt.sh/?id=119601976 > OCSP URI: http://ocsp.intesasanpaolo.com > > DigiCert/Government of Portugal, Sistema de Certificação Electrónica do > Estado (SCEE) / Electronic Certification System of the > State: > > DN: C=PT, O=SCEE, CN=ECRaizEstado > Example cert: https://crt.sh/?id=8322256 OCSP URI: http://ocsp.ecee.gov.pt > > DigiCert/Wells Fargo Bank, N.A.: > > DN: Wells Fargo WellsSecure, OU=Wells Fargo Bank NA, CN=WellsSecure Public > Root Certification Authority 01 G2 Example cert: > https://crt.sh/?id=2029493 OCSP URI: http://validator.wellsfargo.com/ > > DocuSign (OpenTrust/Keynectis) > > CCADB does not list an email address. Not CC'd. > > DN: C=FR, O=OpenTrust, OU=0002 478217318, CN=OpenTrust CA for AATL G1 Example > cert: > https://crt.sh/?q=8e409aaa332930d32acbab3b514c3e116b1b4d8cc6cf3dfc016a05f9c266f597 > OCSP URI: http://get-ocsp.certificat.com/opentrustcaforaatlg1 > > Government of The Netherlands, PKIoverheid (Logius) > > Email sent to supp...@quovadisglobal.com > > DN: C=NL, O=KPN Corporate Market BV, CN=KPN Corporate Market CSP Organisatie > CA - G2 Example cert: > https://crt.sh/?q=f821a600af00d2fa23f569e00fdf2379bc182920205a6b9b0276733cb2857c15 > OCSP URI: http://ocsp2.managedpki.com > > IdenTrust (fixed as of 2017-08-31) > > DN: C=US, O=Digital Signature Trust, OU=DST ACES, CN=DST ACES CA X6 Example > cert: https://crt.sh/?id=136954 OCSP URI: > https://publicsector.ocsp.identrust.com (note this is https as > well) > Notes: This is fixed as of 2017-08-31 > > Izenpe S.A. > > CCADB does not list an email address. Not CC'd. > > DN: C=ES, O=IZENPE S.A., CN=Izenpe.com > Example cert: > https://crt.sh?q=b08c196a2ed1e84f9892db1b61219ceb642882478f39b08719603d0735fa03d1 > OCSP URI: http://ocsp.izenpe.com > OCSP URI: http://ocsp.izenpe.com:8094 > > PROCERT > > CCADB does not list an email address. Not CC'd. However, this is already > under discussion (among other issues) in > https://bugzilla.mozilla.org/show_bug.cgi?id=1391058 > > > DN: emailAddress=conta...@procert.net.ve, L=Chacao, ST=Miranda, OU=Proveedor > de Certificados PROCERT, O=Sistema Nacional de > Certificacion Electronica, C=VE, CN=PSCProcert Example cert: > https://crt.sh/?id=109516168 OCSP URI: > http://ura.procert.net.ve/ocsp > > SECOM Trust Systems Co. Ltd. > > Email sent to ca-supp...@ml.secom-sts.co.jp > > DN: C=JP, L=Academe, O=National Institute of Informatics, CN=NII Open Domain > CA - G4 Example cert: > https://crt.sh/?q=fc1c83a714148a269d787b4cd306b8f19165f1829b1b280c40315f03f85a9964 > OCSP URI: http://niig4.ocsp.secomtrust.net > > DN: C=JP, O=CrossTrust, CN=CrossTrust DV CA3 Example cert: > https://crt.sh/?q=525ae2e9fc4901507d30f7f381af765a81bd7276353651594be323205f5c93ef > OCSP URI: http://dvca3.ocsp.crosstrust.net > > DN: C=JP, O=CrossTrust, CN=CrossTrust OV CA3 Example cert: > https://crt.sh/?q=1857ba98deb0a30c2f6e5f064381420bae0a3bd1df2b6652a525a66b7030d505 > OCSP URI: http://ovca3.ocsp.crosstrust.net > > DN: C=JP, O="FreeBit Co.,Ltd.", CN=YourNet SSL for business2 Example cert: > https://crt.sh/?q=70a530cc67a67a1d1b010aad8370609f407d2d91987b59e5f71e51921f58a346 > OCSP URI: http://freebitov2.ocsp.secomtrust.net > > DN: C=JP, O="FreeBit Co.,Ltd.", CN=YourNet SSL for domain2 Example cert: > https://crt.sh/?q=731421bd0429723c8bb562ea469dba90095e790ed8c22482b32cbcd26f7c4235 > OCSP URI: http://freebitdv2.ocsp.secomtrust.net > > DN: C=JP, O=FUJIFILM, CN=FUJIFILM Fnet CA - S Example cert: > https://crt.sh/?q=3e1b4f7a037a7c8d830329b02f91a37405bb369639bebeb777b2b150204b995b > OCSP URI: http://fnetcas.ocsp.secomtrust.net > > DN: C=JP, O=Fuji Xerox, CN=Fuji Xerox Xnet CA - S Example cert: > https://crt.sh/?q=78606d4c88f75e783d39139d664889a4910d7146ae3b1da7b24c81f3df909b39 > OCSP URI: http://xnetcas.ocsp.secomtrust.net > > DN: C=JP, O=INTEC INC., CN=EINS/PKI Public Certification Authority V2 Example > cert: > https://crt.sh/?q=90f07f5ae79e83cf8c75f946df031a165fa2553f3a3d04ae62368f81773a717f > OCSP URI: http://intec.ocsp.secomtrust.net > > DN: C=JP, O=INTEC INC., CN=EINS/PKI Public Certification Authority V3 Example > cert: > https://crt.sh/?q=ad72b76954165daf1b9021c1fb2b9b648e978dc9862a525a88274ec1b7e9f61f > OCSP URI: http://intec2.ocsp.secomtrust.net > > DN: C=JP, O="Japan Registry Services Co., Ltd.", CN=JPRS Domain Validation > Authority - G1 Example cert: > https://crt.sh/?q=22a04b51e2be5e12726357431ee2568d707515c1f3f094123a391acb540acebb > OCSP URI: http://dv.ocsp.pubcert.jprs.jp > > DN: C=JP, O="Japan Registry Services Co., Ltd.", CN=JPRS Organization > Validation Authority - G1 Example cert: > https://crt.sh/?q=30748bde0a6fc2802e638511516745141f95c08b8bdf44e69bfb96b0ff2d7ad2 > OCSP URI: http://ov.ocsp.pubcert.jprs.jp > > DN: C=JP, O=KAGOYA JAPAN Inc., CN=KAGOYA JAPAN Certification Authority > Example cert: > https://crt.sh/?q=5d2c95d1995e2dbce6f6db38eee7fbe5782965b3e24cec3c483761a4b09cf1a2 > OCSP URI: http://kagoya.ocsp.secomtrust.net > > DN: C=JP, O=KDDI Web Communications Inc., CN=KDDI Web Communications > Certification Authority Example cert: > https://crt.sh/?q=0edc6f278d94a6a0c58f39169ba369b3e0273813bdad4c43e4a525c73ff9ed66 > OCSP URI: http://kddiweb.ocsp.secomtrust.net > > DN: C=JP, O="Nijimo, Inc.", CN=FujiSSL Public Certification Authority - G1 > Example cert: > https://crt.sh/?q=460d994d73ed6b1db484dac0d525fcb3fbfdd2a0982183788c917c4b1d03d839 > OCSP URI: http://nijimo.ocsp.secomtrust.net > > DN: C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1 Example cert: > https://crt.sh/?q=c415cebfa3fc2ef3c74092b84265bad64c3fc9994c91177965667d7abee90588 > OCSP URI: http://scrootca1.ocsp.secomtrust.net > > DN: C=JP, O="SECOM Trust Systems CO.,LTD.", CN=SECOM Passport for Web EV > 2.0 CA > Example cert: > https://crt.sh/?q=9cf126826bb66aa8b40cc33ca6410e789982373342218d4fd8d6da7d71a88914 > OCSP URI: http://ev2.ocsp.secomtrust.net > > DN: C=JP, O="SECOM Trust Systems CO.,LTD.", CN=SECOM Passport for Web EV CA > Example cert: > https://crt.sh/?q=92ad0dd7ae67012cb96b33a96d24207f883af033d587deab402c70644d98e5be > OCSP URI: http://ev.ocsp.secomtrust.net > > DN: C=JP, O="SECOM Trust Systems CO.,LTD.", CN=SECOM Passport for Web MH CA > Example cert: > https://crt.sh/?q=06ea91549c4c2d7aaf1b8c4b7c13ca25dc9456b2c187900b7c196a52561d08c0 > OCSP URI: http://mh.ocsp.secomtrust.net > > DN: C=JP, O="SECOM Trust Systems CO.,LTD.", CN=SECOM Passport for Web SR > 3.0 CA > Example cert: > https://crt.sh/?q=625ee6aaca95caf9d8b130bc0ce1903286e90ccf32d014b1410e0fc8ad9a34c2 > OCSP URI: http://sr30.ocsp.secomtrust.net > > DN: C=JP, O="SECOM Trust Systems CO.,LTD.", OU=Security Communication EV > RootCA1 > Example cert: > https://crt.sh/?q=cbe221580a9800b7e4608d21f7d59e539a64d5c3996c722cf2cde908aa89d4ba > OCSP URI: http://evroot.ocsp.secomtrust.net > > DN: C=JP, O="SECOM Trust Systems CO.,LTD.", OU=Security Communication > RootCA2 > Example cert: > https://crt.sh/?q=7cf75f006ccff8da30d6ea2a2f7c50d0447aa2513ff4a4a37bf292470bba8c85 > OCSP URI: http://scrootca2.ocsp.secomtrust.net > > DN: C=JP, O=XiPS, CN=XiPS CA2 > Example cert: > https://crt.sh/?q=ae7a6dcb4ead3fae08aa340576595bd02261c2e002f016a83374b3a70446cd06 > OCSP URI: http://xips2.ocsp.secomtrust.net > > Symantec / GeoTrust > > *Removed from the list as Ryan Sleevi noted the subordinates in question are > technically constrained* > > Visa > > Email sent to pkipol...@visa.com > > DN: C=US, O=VISA, OU=Visa International Service Association, CN=Visa > eCommerce Issuing CA Example cert: > https://crt.sh/?id=53550125 OCSP URI: http://ocsp.visa.com/ocsp > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy