I have filed https://bugzilla.mozilla.org/show_bug.cgi?id=1435770 requesting an incident report from Certum.
On Mon, Feb 5, 2018 at 10:07 AM, Eric Mill via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > WoSign and StartCom are untrusted, but Certum is still trusted, right? > > Yes, the two certificates issued by Certum are trusted by Mozilla. On Mon, Feb 5, 2018 at 11:08 AM, Hanno Böck via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > Hi, > > > > I searched crt.sh for valid certificates vulnerable to the 2008 Debian > > weak key bug. (Only 2048 bit.) > > > > Overall I found 5 unexpired certificates. > > > > Two certificates by Certum (reported on Saturday, Certum told me "We > > have taken necessary steps to clarify this situation as soon as > > possible", they're not revoked yet): > > https://crt.sh/?id=308392091&opt=ocsp > > https://crt.sh/?id=6888863&opt=ocsp > > > > Wosign: > > https://crt.sh/?id=30347743 > > StartCom: > > https://crt.sh/?id=54187884 > > https://crt.sh/?id=307753186 > > > > As we all know these are no longer trusted by Mozilla, I reported them > > nevertheless. No reply yet. > > > > Old bugs never die, I recommend every CA adds a check for the Debian > > bug to their certificate issuance process. > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy