Question about a random certificate I've found on CT
517 views
Skip to first unread message
Amir Omidi (aaomidi)
Apr 21, 2024, 6:11:13 PMApr 21
to dev-secur...@mozilla.org
I came across an interesting certificate today: https://crt.sh/?id=2385087905
According to Censys, this certificate is publicly trusted on of the major root programs.
This certificate has a very long lifetime, and just seems to be weird in a lot of ways. Are these types of certificates okay to issue from a publicly trusted roots/intermediates?
It does seem that the issuer has been revoked on Mozilla per crt: https://crt.sh/?caid=74630
Matt Palmer
Apr 21, 2024, 8:48:31 PMApr 21
to dev-secur...@mozilla.org
On Sun, Apr 21, 2024 at 03:11:13PM -0700, 'Amir Omidi (aaomidi)' via dev-secur...@mozilla.org wrote:
> I came across an interesting certificate today:
> https://crt.sh/?id=2385087905
>
> According to Censys, this certificate is publicly trusted on of the major
> root programs.
>
> This certificate has a very long lifetime, and just seems to be *weird* in
> I came across an interesting certificate today:
> https://crt.sh/?id=2385087905
>
> According to Censys, this certificate is publicly trusted on of the major
> root programs.
>
> a lot of ways. Are these types of certificates okay to issue from a
> publicly trusted roots/intermediates?
It *may* fall under the "this isn't a server certificate" exception, and
> publicly trusted roots/intermediates?
given that it was seemingly issued in 2017 (although it may have been issued
in 2020 and backdated, based on the SCT), many of the current rules around what
constitutes "valid for server authentication" may not apply in any case.
Well, in that case, there's not much that Mozilla could do anyway.
- Matt
David Adrian
Apr 22, 2024, 7:05:25 AMApr 22
to Matt Palmer, dev-secur...@mozilla.org
Census validation is in general very loose in terms of what in chains it will accept. It uses the verifier in ZCrypto (same as ZLint), and mostly only checks names and signatures.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/231e6ab3-f260-4056-b5e8-0be3e8fd0572%40mtasv.net.
Amir Omidi
Apr 22, 2024, 12:25:10 PMApr 22
to David Adrian, Matt Palmer, dev-secur...@mozilla.org
Thanks all!
You received this message because you are subscribed to a topic in the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this topic, visit https://groups.google.com/a/mozilla.org/d/topic/dev-security-policy/2GC5YxfkoyU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAGkh42KN%3DzGdbZF8rT-6fB9Mo3LjnSVdu4NVNv3Pi4pUhcXJmA%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages