Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-08-18 Thread Gervase Markham via dev-security-policy
On 15/08/17 16:53, Ben Wilson wrote: > Attached is an audit from 2016. They are due for another one for 2017. Attachments don't appear on this list, but I have the docs. Please email me if you'd like them. I've asked Ben to update CCADB to point to them, and to also update any other entries

RE: Certificate with invalid dnsName issued from Baltimore intermediate

2017-08-16 Thread Ben Wilson via dev-security-policy
ct: Re: Certificate with invalid dnsName issued from Baltimore intermediate Hi Ben, On 03/08/17 15:38, Ben Wilson wrote: > Here is the response from Intesa Sanpaolo concerning the disruption > that revocation will cause to their banking operations: I've looked up the certs relating to this sub-CA

RE: Certificate with invalid dnsName issued from Baltimore intermediate

2017-08-15 Thread Ben Wilson via dev-security-policy
com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Certificate with invalid dnsName issued from Baltimore intermediate Hi Ben, On 03/08/17 14:32, Ben Wilson wrote: > That would be fine. Also, we have given Intesa Sanpaolo a scheduled > revocation date of 15 August 2017, and

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-08-15 Thread Gervase Markham via dev-security-policy
Hi Ben, On 03/08/17 15:38, Ben Wilson wrote: > Here is the response from Intesa Sanpaolo concerning the disruption that > revocation will cause to their banking operations: I've looked up the certs relating to this sub-CA in the CCADB. The key in question:

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-08-15 Thread Gervase Markham via dev-security-policy
Hi Ben, On 03/08/17 14:32, Ben Wilson wrote: > That would be fine. Also, we have given Intesa Sanpaolo a scheduled > revocation date of 15 August 2017, and I'm waiting to hear back. That's today; is it still the plan to revoke their intermediate? Gerv

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-08-03 Thread Matt Palmer via dev-security-policy
On Thu, Aug 03, 2017 at 02:38:33PM +, Ben Wilson via dev-security-policy wrote: > Here is the response from Intesa Sanpaolo concerning the disruption that > revocation will cause to their banking operations: [...] > Concerning the CA revocation, first of all, I want to underline that for us

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-08-03 Thread Alex Gaynor via dev-security-policy
2017 8:42 AM > *To:* Ben Wilson <ben.wil...@digicert.com> > *Cc:* Nick Lamb <tialara...@gmail.com>; mozilla-dev-security-policy@ > lists.mozilla.org > > *Subject:* Re: Certificate with invalid dnsName issued from Baltimore > intermediate > > > > If I'm read

RE: Certificate with invalid dnsName issued from Baltimore intermediate

2017-08-03 Thread Ben Wilson via dev-security-policy
Subject: Re: Certificate with invalid dnsName issued from Baltimore intermediate If I'm reading this correctly, these certificates are for internal services, not publicly accessible. Could they add their intermediate directly to these trust stores, allowing you to revoke it? Failing that, it

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-08-03 Thread Alex Gaynor via dev-security-policy
> Behalf Of Ben Wilson via dev-security-policy > Sent: Thursday, August 3, 2017 7:33 AM > To: Nick Lamb <tialara...@gmail.com>; > mozilla-dev-security-pol...@lists.mozilla.org > Subject: RE: Certificate with invalid dnsName issued from Baltimore > intermediate > &g

RE: Certificate with invalid dnsName issued from Baltimore intermediate

2017-08-03 Thread Ben Wilson via dev-security-policy
@lists.mozilla.org] On Behalf Of Ben Wilson via dev-security-policy Sent: Thursday, August 3, 2017 7:33 AM To: Nick Lamb <tialara...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Certificate with invalid dnsName issued from Baltimore intermediate That would be fine. Al

RE: Certificate with invalid dnsName issued from Baltimore intermediate

2017-08-03 Thread Ben Wilson via dev-security-policy
-security-policy Sent: Wednesday, August 2, 2017 10:34 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Certificate with invalid dnsName issued from Baltimore intermediate On Monday, 24 July 2017 17:34:03 UTC+1, Ben Wilson wrote: > Nick, > We are in discussions with Intesa Sanpaolo

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-08-02 Thread Nick Lamb via dev-security-policy
On Monday, 24 July 2017 17:34:03 UTC+1, Ben Wilson wrote: > Nick, > We are in discussions with Intesa Sanpaolo about implementing/pursuing > OneCRL or a similar approach (e.g. outright revocation of the CAs). > Thanks, > Ben Is there any progress on this? To be honest I was more meaning that

RE: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-24 Thread Ben Wilson via dev-security-policy
Of Nick Lamb via dev-security-policy Sent: Sunday, July 23, 2017 2:35 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Certificate with invalid dnsName issued from Baltimore intermediate On Sunday, 23 July 2017 20:12:18 UTC+1, Charles Reiss wrote: > This CA also issued a rec

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-23 Thread Nick Lamb via dev-security-policy
On Sunday, 23 July 2017 20:12:18 UTC+1, Charles Reiss wrote: > This CA also issued a recent certificate for the unqualified dNSName > 'webinterfacestrong': https://crt.sh/?id=177606495 Another name that it shouldn't be possible to issue for, but this time one which can actually exist in local

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-23 Thread Charles Reiss via dev-security-policy
On 07/17/2017 11:21 AM, Ben Wilson wrote: Dear Jonathan, Thank you for bringing this to our attention. We have contacted Intesa Sanpaolo regarding this error and have asked them to correct it as soon as possible. Sincerely yours, This CA also issued a recent certificate for the unqualified

RE: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-21 Thread Ben Wilson via dev-security-policy
@lists.mozilla.org] On Behalf Of Ryan Sleevi via dev-security-policy Sent: Tuesday, July 18, 2017 9:54 AM To: Jakob Bohm <jb-mozi...@wisemo.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Certificate with invalid dnsName issued from Baltimore intermediate On Tue, Jul 18, 2017 at 8:05 AM Jako

Re: Certificate with invalid dnsName issued from Baltimore

2017-07-20 Thread Myers, Kenneth (10421) via dev-security-policy
I've contacted the DHS PKI PMO and informed the DoD PKI PMO of the mis-issued certificates. Kenneth Myers Supporting the GSA Federal PKI Management Authority Manager Protiviti | 1640 King Street | Suite #400 | Alexandria | VA 22314 US | Protiviti.com NOTICE: Protiviti is a global consulting

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-19 Thread Rob Stradling via dev-security-policy
On 19/07/17 15:31, Jeremy Rowley via dev-security-policy wrote: You should also filter out expired certs as they aren't usable. I've added a 2nd tab that just shows unexpired certs. I'll also add a column to track the revocation status of each of these certs. I've left the expired certs in

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-19 Thread Rob Stradling via dev-security-policy
Hi Alex. This is about issuance (mal)practices, so therefore I didn't omit certs that are already revoked. On 19/07/17 15:29, Alex Gaynor via dev-security-policy wrote: I think there might be a bug in your SQL, one of the offending certs is issued by "C=US, O=U.S. Government, OU=Department of

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-19 Thread Jeremy Rowley via dev-security-policy
You should also filter out expired certs as they aren't usable. > On Jul 19, 2017, at 8:30 AM, Alex Gaynor via dev-security-policy > wrote: > > I think there might be a bug in your SQL, one of the offending certs is > issued by "C=US, O=U.S. Government,

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-19 Thread Alex Gaynor via dev-security-policy
I think there might be a bug in your SQL, one of the offending certs is issued by "C=US, O=U.S. Government, OU=Department of Homeland Security, OU=Certification Authorities, OU=DHS CA4", who are revoked using OneCRL. Alex On Wed, Jul 19, 2017 at 10:08 AM, Rob Stradling via dev-security-policy <

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-19 Thread Peter Gutmann via dev-security-policy
Hanno Böck via dev-security-policy writes: >More dotdot-certificates: Given how widespread (meaning from different CAs) these are, is there some quirk of a widely-used resolver library that allows them? I've done a bit of impromptu testing of various

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-19 Thread Rob Stradling via dev-security-policy
On 18/07/17 16:57, Hanno Böck via dev-security-policy wrote: (Due to limitations in the search methodology - scraping crt.sh search results and looping through tlds - I only searched for ..tld. It would certainly be valuable to search further.) Here's a report of all "double dot" certs known

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-19 Thread Nick Lamb via dev-security-policy
On Tuesday, 18 July 2017 20:29:50 UTC+1, Jeremy Rowley wrote: > Some of these certs are really old. Is there a reason people were using > double dot names? Are they all mistakes in the certificate request or is > there some logic behind them? Unless I see good evidence to the contrary I will

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-18 Thread Charles Reiss via dev-security-policy
On 07/18/2017 11:57 AM, Hanno Böck wrote: More dotdot-certificates: [snip] via searching censys.io: https://crt.sh/?id=174803642 for *..syntaxafrica.com Issued by GoDaddy in 2016; expires later this year, but revoked (CRL timestamp says a few days after issuance)

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-18 Thread Hanno Böck via dev-security-policy
On Tue, 18 Jul 2017 21:43:28 +0200 Hanno Böck via dev-security-policy wrote: > It has this commonname: > commonName= .guidedstudies.com > > Well... that's also not a valid hostname... And of course it's not the only one:

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-18 Thread Hanno Böck via dev-security-policy
On Tue, 18 Jul 2017 19:29:10 + Jeremy Rowley via dev-security-policy wrote: > Some of these certs are really old. Some of them are also not so old and still valid. All from GoDaddy: https://crt.sh/?id=22835635 https://crt.sh/?id=8216255 This one

RE: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-18 Thread Jeremy Rowley via dev-security-policy
@lists.mozilla.org] On Behalf Of Tom via dev-security-policy Sent: Tuesday, July 18, 2017 12:17 PM To: Hanno Böck <ha...@hboeck.de>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Certificate with invalid dnsName issued from Baltimore intermediate The "www..*" search is

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-18 Thread Tom via dev-security-policy
The "www..*" search is also intersting, I think: https://crt.sh/?dNSName=www..%25 crt.sh IDLogged At ⇧ Not Before IdentityIssuer Name 397448732016-10-02 2012-12-29 www..coinfling.com 386479982016-10-01 2011-03-24

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-18 Thread Hanno Böck via dev-security-policy
More dotdot-certificates: https://crt.sh/?id=34528113 for autodiscover.amphenolcanada..com Expired 2012 issued by Geotrust (aka symantec) https://crt.sh/?id=3478078 for PDC-LIB-WEB1.RBI1.rbi..in Expired 2016 issued by Institute for Development and Research in Banking Technology

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-18 Thread Ryan Sleevi via dev-security-policy
On Tue, Jul 18, 2017 at 8:05 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 17/07/2017 21:27, Nick Lamb wrote: > > On Monday, 17 July 2017 16:22:22 UTC+1, Ben Wilson wrote: > >> Thank you for bringing this to our attention. We have contacted Intesa >

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-17 Thread Jonathan Rudenberg via dev-security-policy
> On Jul 17, 2017, at 15:27, Nick Lamb via dev-security-policy > wrote: > > On Monday, 17 July 2017 16:22:22 UTC+1, Ben Wilson wrote: >> Thank you for bringing this to our attention. We have contacted Intesa >> Sanpaolo regarding this error and have

Re: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-17 Thread Nick Lamb via dev-security-policy
On Monday, 17 July 2017 16:22:22 UTC+1, Ben Wilson wrote: > Thank you for bringing this to our attention. We have contacted Intesa > Sanpaolo regarding this error and have asked them to correct it as soon as > possible. "Correcting" the error is surely the smaller of the two tasks ahead.

RE: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-17 Thread Ben Wilson via dev-security-policy
-policy [mailto:dev-security-policy-bounces+ben=digicert@lists.mozilla.org] On Behalf Of Jonathan Rudenberg via dev-security-policy Sent: Monday, July 17, 2017 9:15 AM To: dev-security-policy@lists.mozilla.org Subject: Certificate with invalid dnsName issued from Baltimore intermediate

Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-17 Thread Jonathan Rudenberg via dev-security-policy
This certificate, issued by “Intesa Sanpaolo CA Servizi Esterni Enhanced” which chains up to a Baltimore CyberTrust root, contains an invalid dnsName of “www.intesasanpaolovita..biz” (note the two dots):