On Friday, September 29, 2017 at 1:29:26 PM UTC-7, Rob Stradling wrote: > Several CAs have issued intermediate CA certificates with duplicate > serial numbers. This is a clear violation of the serial number > uniqueness requirement of the BRs and RFC5280 4.1.2.2. Below is a list > of all those known to crt.sh that chain to at least 1 NSS built-in root: >
Thanks, Rob. I plan to file Bugzilla Bugs for these (for those not already filed), and request that these CAs scan their databases for all certs with same issuer/serial and provide an incident report. But before doing so, I compared your finding with what I see in the CCADB... > > Issuer: https://crt.sh/?caid=140 > Issuer O: AC Camerfirma SA CIF A82743287 > Issuer CN: Chambers of Commerce Root > Subject CN: (id=1252) AC CAMERFIRMA AAPP > (id=12625404) AC Camerfirma Express Corporate Server > Serial #: 0d > Certs: https://crt.sh/?id=1252 > https://crt.sh/?id=12625404 > Revoked?: No > I see these Camerfirma doppelgangers in the CCADB. > > Issuer: https://crt.sh/?caid=935 > Issuer O: Actalis S.p.A./03358520967 > Issuer CN: Actalis Authentication Root CA > Subject CN: UniCredit Subordinate External > Serial #: 3e:5d:be:44:e7:51:5a:5a > Certs: https://crt.sh/?id=47081615 > https://crt.sh/?id=147626411 > Revoked?: No I am not finding these Actalis certs in the CCADB. Will include that in the Actalis bug as well. By the way, I do not see them listed here: https://crt.sh/mozilla-disclosures#undisclosed > > > Issuer: https://crt.sh/?caid=941 > Issuer O: Atos > Issuer CN: Atos TrustedRoot 2011 > Subject CN: Atos TrustedRoot Client-CA 2011 > Serial #: 5b:6a:8e:8d:5a:86:71:8f > Certs: https://crt.sh/?id=12725513 > https://crt.sh/?id=12725727 > https://crt.sh/?id=12728899 > Revoked?: No > Subject CN: Atos TrustedRoot CodeSigning-CA 2011 > Serial #: 33:45:52:39:ec:16:dd:62 > Certs: https://crt.sh/?id=18068233 > https://crt.sh/?id=49643406 > Revoked?: Yes > Subject CN: Atos TrustedRoot Server-CA 2011 > Serial #: 6b:5d:91:bc:13:61:ce:75 > Certs: https://crt.sh/?id=705899 > https://crt.sh/?id=18068212 > Revoked?: Yes I see these Atos doppelgangers in the CCADB. > > > Issuer: https://crt.sh/?caid=138 > Issuer O: SwissSign AG > Issuer CN: SwissSign Gold CA - G2 > Subject CN: AffirmTrust Networking > Serial #: 84:3c:74:b1:aa:34:86:b1:c4:c7:a0:df:55:b5:e9 > Certs: https://crt.sh/?id=3386 > https://crt.sh/?id=1991456 > Revoked?: No > Subject CN: Trend Micro Gold CA > Serial #: 49:e1:33:6e:94:e5:b6:a5:2d:a9:6e:d4:8a:e2:76 > Certs: https://crt.sh/?id=12629343 > https://crt.sh/?id=198226194 > Revoked?: Yes I see these SwissSign doppelgangers in the CCADB. > > > Issuer: https://crt.sh/?caid=656 > Issuer O: Trustwave Holdings, Inc. > Issuer CN: Trustwave Organization Issuing CA, Level 2 > Subject CN: Trustwave Enterprise CA > Serial #: 6b:49:d2:04 > Certs: https://crt.sh/?id=12624965 > https://crt.sh/?id=12629351 > Revoked?: Issuer cert revoked (https://crt.sh/?id=95565) > > Issuer: https://crt.sh/?caid=12391 > Issuer O: Trustwave Holdings, Inc. > Issuer CN: Trustwave Enterprise CA > Subject CN: Trustwave Enterprise VPN CA > Serial #: 41:90:ae:5d > Certs: https://crt.sh/?id=12625419 > https://crt.sh/?id=12629788 > Revoked?: Issuer's issuer cert revoked (https://crt.sh/?id=95565) I see the revoked issuer is in CCADB. The other certs are not, but that's OK since the revoked issuer is in OneCRL. > > > Issuer: https://crt.sh/?caid=1450 > Issuer O: WoSign CA Limited > Issuer CN: CA 沃通根证书 > Subject CN: 中国湖南 EV 服务器证书 > Serial #: 44:80:7b:20:7c:f2:05:2e:8d:34:11:77:02:66:d2:95 > Certs: https://crt.sh/?id=7841622 > https://crt.sh/?id=9318242 > Revoked?: No (x-certs from StartCom not yet in OneCRL; StartCom roots > still in NSS) > Subject CN: CA 沃通 EV 代码签名证书 > Serial #: 3a:de:c4:02:27:0b:f4:ee:9e:89:2c:c6:5e:0a:da:21 > Certs: https://crt.sh/?id=12728869 > https://crt.sh/?id=12729072 > Revoked?: No (x-certs from StartCom not yet in OneCRL; StartCom roots > still in NSS) I don't plan to file a bug for these WoSign doppelganger certs, since we've already disabled and are removing the WoSign roots (bug #1387260). Also, I see another set of dobbelganger certs in the CCADB. Not sure why they didn't show up in your script output... Issuer commonName: Belgium Root CA4 Subject commonName: Belgium Root CA4 Serial Number: 4f33208cc594bf38 https://crt.sh/?id=26311649 https://crt.sh/?id=160110886 Revoked? No Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy