Last active
August 29, 2017 23:20
-
-
Save alex/aa8c31c05787c43936f30fbff1a406cf to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Hello all, | |
| I'd like to report the following BR violations. These were all found in OCSP | |
| responder certificates (thanks to Paul Kehrer for providing the raw data to | |
| enable this). | |
| While there were many violations, I'm highlighting just a few. Excluded | |
| examples include: 'Illegal KeyUsage for RSA key' and my personal favorite, | |
| incorrect encoding of OCSP NoCheck. | |
| The ones here are either: | |
| * SHA-1 with notBefore in 2017 | |
| * Server auth with no SAN | |
| * and pathLenConstraint with CA:FALSE | |
| I've CC'd the following affected CAs on this email: DigiCert, GlobalSign, | |
| SECOM Trust Systems, Trustwave, WISeKey | |
| Trustwave | |
| C=US, ST=Illinois, L=Chicago, O="Trustwave Holdings, Inc.", CN="Trustwave Organization Validation CA, Level 2", [email protected] | |
| https://crt.sh/?id=201187008&opt=cablint SHA-1 | |
| SECOM Trust Systems Co. Ltd. | |
| C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1 | |
| https://crt.sh/?id=201187019&opt=cablint SHA-1 | |
| SECOM Trust Systems Co. Ltd. | |
| C=JP, O=INTEC INC., CN=EINS/PKI Public Certification Authority V2 | |
| https://crt.sh/?id=201260265&opt=cablint SHA-1 | |
| DigiCert | |
| DC=com, DC=sanpaoloimi, DC=corp, CN=Intesa Sanpaolo CA Servizi Esterni | |
| https://crt.sh/?id=201260285&opt=cablint SHA-1 | |
| WISeKey | |
| C=CH, O=WISeKey, OU=Copyright 2011 WISeKey SA, OU=International, CN=WISeKey CertifyID Advanced Services CA 2 | |
| https://crt.sh/?id=201260286&opt=cablint SHA-1 | |
| DigiCert | |
| C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon Public SureServer CA G14-SHA1 | |
| https://crt.sh/?id=201260309&opt=cablint SHA-1 | |
| DigiCert | |
| C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon Public SureCodeSign CA G14-SHA1 | |
| https://crt.sh/?id=201260337&opt=cablint SHA-1 | |
| SECOM Trust Systems Co. Ltd. | |
| C=JP, L=Academe, O=National Institute of Informatics, CN=NII Open Domain CA - G3 | |
| https://crt.sh/?id=201260369&opt=cablint SHA-1 | |
| SECOM Trust Systems Co. Ltd. | |
| C=JP, O="SECOM Trust Systems CO.,LTD.", OU=Security Communication EV RootCA1 | |
| https://crt.sh/?id=201260426&opt=cablint SHA-1 | |
| SECOM Trust Systems Co. Ltd. | |
| C=JP, O="SECOM Trust Systems CO.,LTD.", CN=SECOM Passport for Web EV CA | |
| https://crt.sh/?id=201260429&opt=cablint SHA-1 | |
| GlobalSign | |
| C=BE, O=GlobalSign nv-sa, CN=GlobalSign PersonalSign 2 CA - G2 | |
| https://crt.sh/?id=201260455&opt=cablint SHA-1 | |
| DigiCert | |
| C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon Akamai SureServer CA G14-SHA1 | |
| https://crt.sh/?id=201260459&opt=cablint SHA-1 | |
| DigiCert | |
| CN=Cartão de Cidadão 001, OU=ECEstado, O=SCEE - Sistema de Certificação Electrónica do Estado, C=PT | |
| https://crt.sh/?id=201260500&opt=cablint SHA-1 | |
| DigiCert | |
| C=PT, O=SCEE - Sistema de Certificação Electrónica do Estado, OU=ECEstado, CN=Cartão de Cidadão 002 | |
| https://crt.sh/?id=201260501&opt=cablint SHA-1 | |
| IdenTrust | |
| C=US, O=Digital Signature Trust, OU=DST ACES, CN=DST ACES CA X6 | |
| https://crt.sh/?id=201192901&opt=cablint Server auth with no SAN | |
| DigiCert | |
| O="Cybertrust, Inc", CN=Cybertrust Global Root | |
| https://crt.sh/?id=201186966&opt=cablint pathLenConstraint with CA:FALSE | |
| Cheers, | |
| Alex |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment