P-521 Certificates

[Corey Bonnell]

(Posting in a personal capacity as I am no longer employed by Trustwave)

Mozilla Root Store Policy section 5.1 (https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/) prohibits the use of P-521 keys in root certificates included in the Mozilla trust store, as well as in any certificates chaining to these roots. This prohibition was made very clear in the discussion on this list in 2017 at https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/7O34-DmZeC8/fsKobHABAwAJ.

Below is a list of unexpired, unrevoked certificates which contain P-521 public keys (grouped by CA Owner and ordered by notBefore):

Sectigo
crt.sh URL, notBefore, notAfter, issuer CN
------------------------------------------
https://crt.sh/?id=6371802, 2015-01-23, 2020-01-22, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=13764502, 2015-10-17, 2019-01-16, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=308269873, 2016-10-22, 2019-10-09, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=307896586, 2017-01-23, 2019-01-23, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=308306899, 2017-01-27, 2020-01-27, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=308113189, 2017-03-22, 2020-03-06, InCommon ECC Server CA
https://crt.sh/?id=307650153, 2017-03-26, 2020-03-25, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=307656068, 2017-04-20, 2020-07-18, COMODO ECC Organization Validation Secure Server CA
https://crt.sh/?id=307534525, 2017-05-18, 2020-05-18, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=308201491, 2017-06-27, 2020-06-26, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=292253731, 2017-12-31, 2019-12-31, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=325088752, 2018-02-07, 2019-02-07, Gandi Standard SSL CA 2
https://crt.sh/?id=495848274, 2018-02-25, 2019-02-25, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=363803336, 2018-03-23, 2020-05-23, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=369709685, 2018-03-29, 2019-04-28, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=369824505, 2018-03-29, 2020-03-25, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=377999330, 2018-04-05, 2020-04-04, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=395687551, 2018-04-14, 2019-04-29, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=441476932, 2018-04-14, 2019-04-29, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=419677583, 2018-04-25, 2020-04-24, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=419685986, 2018-04-25, 2020-04-24, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=441178023, 2018-05-05, 2019-05-05, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=441178000, 2018-05-05, 2019-05-05, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=447475737, 2018-05-07, 2020-05-06, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=447484644, 2018-05-07, 2020-05-06, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=453793669, 2018-05-10, 2019-05-10, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=453793685, 2018-05-10, 2019-05-10, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=455176361, 2018-05-11, 2019-05-11, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=455176321, 2018-05-11, 2019-05-11, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=463185238, 2018-05-15, 2019-05-15, USERTrust ECC Domain Validation Secure Server CA
https://crt.sh/?id=463092619, 2018-05-15, 2019-05-12, USERTrust ECC Domain Validation Secure Server CA
https://crt.sh/?id=463092603, 2018-05-15, 2019-05-12, USERTrust ECC Domain Validation Secure Server CA
https://crt.sh/?id=463185322, 2018-05-15, 2019-05-15, USERTrust ECC Domain Validation Secure Server CA
https://crt.sh/?id=499794005, 2018-06-01, 2020-02-29, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=498922190, 2018-06-01, 2019-06-01, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=499725167, 2018-06-01, 2020-02-29, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=498922249, 2018-06-01, 2019-06-01, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=505121345, 2018-06-04, 2020-06-03, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=505085090, 2018-06-04, 2020-06-03, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=513249599, 2018-06-08, 2019-09-06, COMODO ECC Organization Validation Secure Server CA
https://crt.sh/?id=513249610, 2018-06-08, 2019-09-06, COMODO ECC Organization Validation Secure Server CA
https://crt.sh/?id=524442289, 2018-06-13, 2020-06-12, InCommon RSA Server CA
https://crt.sh/?id=524489119, 2018-06-13, 2020-06-12, InCommon RSA Server CA
https://crt.sh/?id=526991990, 2018-06-14, 2020-06-13, InCommon RSA Server CA
https://crt.sh/?id=527107074, 2018-06-14, 2020-06-13, InCommon RSA Server CA
https://crt.sh/?id=539581571, 2018-06-20, 2020-03-07, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=539583525, 2018-06-20, 2020-03-07, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=542849108, 2018-06-24, 2020-06-23, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=542849110, 2018-06-24, 2020-06-23, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=543995312, 2018-06-25, 2019-06-24, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=543995179, 2018-06-25, 2019-06-24, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=591996350, 2018-07-11, 2019-07-10, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=591996006, 2018-07-11, 2019-07-10, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=596168840, 2018-07-12, 2019-07-12, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=596168871, 2018-07-12, 2019-07-12, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=597412454, 2018-07-14, 2019-07-14, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=597412673, 2018-07-14, 2019-07-14, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=606946421, 2018-07-20, 2020-07-19, InCommon RSA Server CA
https://crt.sh/?id=606946466, 2018-07-20, 2020-07-19, InCommon RSA Server CA
https://crt.sh/?id=615391317, 2018-07-22, 2019-07-22, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=615391414, 2018-07-22, 2019-07-22, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=617047567, 2018-07-23, 2019-07-29, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=608218571, 2018-07-23, 2020-07-22, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=608218537, 2018-07-23, 2020-07-22, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=617047089, 2018-07-23, 2019-07-29, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=620400049, 2018-07-26, 2019-07-22, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=620395555, 2018-07-26, 2019-07-26, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=620395705, 2018-07-26, 2019-07-26, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=620131184, 2018-07-26, 2019-12-31, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=620131002, 2018-07-26, 2019-12-31, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=620399817, 2018-07-26, 2019-07-22, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=629323969, 2018-08-01, 2019-07-22, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=629132167, 2018-08-01, 2019-08-01, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=628399531, 2018-08-01, 2019-08-01, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=629128772, 2018-08-01, 2019-08-01, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=629128648, 2018-08-01, 2019-08-01, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=629323768, 2018-08-01, 2019-07-22, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=629131924, 2018-08-01, 2019-08-01, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=628400266, 2018-08-01, 2019-08-01, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=637932875, 2018-08-08, 2020-08-07, InCommon RSA Server CA
https://crt.sh/?id=637932860, 2018-08-08, 2020-08-07, InCommon RSA Server CA
https://crt.sh/?id=638329218, 2018-08-09, 2020-08-08, InCommon RSA Server CA
https://crt.sh/?id=638345465, 2018-08-09, 2020-08-08, InCommon RSA Server CA
https://crt.sh/?id=638608733, 2018-08-10, 2020-08-09, InCommon ECC Server CA
https://crt.sh/?id=638608725, 2018-08-10, 2020-08-09, InCommon ECC Server CA
https://crt.sh/?id=647283822, 2018-08-13, 2020-01-12, TrustSign BR Certification Authority (DV) 2
https://crt.sh/?id=647283833, 2018-08-13, 2020-01-12, TrustSign BR Certification Authority (DV) 2
https://crt.sh/?id=648703027, 2018-08-14, 2019-07-06, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=648703097, 2018-08-14, 2019-07-06, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=649508017, 2018-08-16, 2020-09-14, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=649497464, 2018-08-16, 2020-09-14, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=651708845, 2018-08-17, 2020-10-06, COMODO ECC Organization Validation Secure Server CA
https://crt.sh/?id=650968319, 2018-08-17, 2019-08-17, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=651708880, 2018-08-17, 2020-10-06, COMODO ECC Organization Validation Secure Server CA
https://crt.sh/?id=650968313, 2018-08-17, 2019-08-17, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=655979498, 2018-08-20, 2019-08-20, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=655979734, 2018-08-20, 2019-08-20, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=702937626, 2018-09-01, 2020-08-31, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=703704444, 2018-09-01, 2020-08-31, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=703626516, 2018-09-01, 2020-08-31, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=703570156, 2018-09-01, 2020-08-31, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=703034958, 2018-09-01, 2020-08-31, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=703704688, 2018-09-01, 2020-08-31, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=715244655, 2018-09-04, 2020-09-03, COMODO ECC Organization Validation Secure Server CA
https://crt.sh/?id=715180338, 2018-09-04, 2020-09-03, COMODO ECC Organization Validation Secure Server CA
https://crt.sh/?id=718386742, 2018-09-05, 2020-08-31, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=718316167, 2018-09-05, 2020-08-31, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=721949738, 2018-09-06, 2020-09-05, COMODO ECC Organization Validation Secure Server CA
https://crt.sh/?id=721903071, 2018-09-06, 2020-09-05, COMODO ECC Organization Validation Secure Server CA
https://crt.sh/?id=732224783, 2018-09-10, 2020-09-09, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=732180667, 2018-09-10, 2020-09-09, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=742122634, 2018-09-13, 2020-09-27, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=742146772, 2018-09-13, 2020-09-27, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=743367517, 2018-09-13, 2020-09-12, InCommon RSA Server CA
https://crt.sh/?id=743250702, 2018-09-13, 2020-09-12, InCommon RSA Server CA
https://crt.sh/?id=760484279, 2018-09-17, 2020-09-16, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=760522493, 2018-09-17, 2020-09-16, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=841848220, 2018-10-09, 2019-10-09, DOMENY SSL DV Certification Authority
https://crt.sh/?id=841847447, 2018-10-09, 2019-10-09, DOMENY SSL DV Certification Authority
https://crt.sh/?id=849247022, 2018-10-11, 2020-10-10, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=849224923, 2018-10-11, 2020-10-10, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=879713746, 2018-10-21, 2020-11-27, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=879682087, 2018-10-21, 2020-11-27, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=885247476, 2018-10-23, 2019-10-23, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=885208207, 2018-10-23, 2019-10-23, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=885248041, 2018-10-23, 2019-10-23, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=885208204, 2018-10-23, 2019-10-23, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=887807299, 2018-10-24, 2019-01-22, DOMENY SSL DV Certification Authority
https://crt.sh/?id=887807764, 2018-10-24, 2019-01-22, DOMENY SSL DV Certification Authority
https://crt.sh/?id=901267132, 2018-10-29, 2020-10-28, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=901267026, 2018-10-29, 2020-10-28, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=907036453, 2018-10-31, 2019-01-29, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=907036502, 2018-10-31, 2019-01-29, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=922822862, 2018-11-06, 2019-02-04, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=922823047, 2018-11-06, 2019-02-04, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=930339735, 2018-11-08, 2020-11-07, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=930339745, 2018-11-08, 2020-11-07, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=960746353, 2018-11-20, 2021-02-21, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=960649340, 2018-11-20, 2021-02-21, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=971777686, 2018-11-24, 2019-11-24, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=971777541, 2018-11-24, 2019-11-24, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=975933667, 2018-11-25, 2019-11-25, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=975933498, 2018-11-25, 2019-11-25, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1005886673, 2018-12-06, 2019-12-06, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1005886201, 2018-12-06, 2019-12-06, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1019943658, 2018-12-11, 2020-02-09, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1020803789, 2018-12-11, 2020-12-10, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1020801336, 2018-12-11, 2020-12-10, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1019943394, 2018-12-11, 2020-02-09, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1058872928, 2018-12-26, 2020-12-25, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1058872922, 2018-12-26, 2020-12-25, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1060875132, 2018-12-27, 2020-12-26, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1060875028, 2018-12-27, 2020-12-26, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1067553416, 2018-12-30, 2020-12-29, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1067553966, 2018-12-30, 2020-12-29, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1067422853, 2018-12-30, 2020-12-29, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1067422599, 2018-12-30, 2020-12-29, COMODO ECC Domain Validation Secure Server CA

DigiCert
crt.sh URL, notBefore, notAfter, issuer CN
------------------------------------------
https://crt.sh/?id=308100681, 2015-11-09, 2019-02-06, DigiCert ECC Secure Server CA
https://crt.sh/?id=307892387, 2016-07-14, 2019-07-19, DigiCert ECC Secure Server CA
https://crt.sh/?id=308355664, 2016-07-14, 2019-07-19, DigiCert ECC Secure Server CA
https://crt.sh/?id=308335383, 2016-08-11, 2019-11-09, DigiCert SHA2 Secure Server CA
https://crt.sh/?id=41935017, 2016-09-22, 2019-11-26, DigiCert ECC Secure Server CA
https://crt.sh/?id=307429360, 2016-10-13, 2020-01-10, DigiCert SHA2 High Assurance Server CA
https://crt.sh/?id=104218572, 2016-10-28, 2019-11-06, DigiCert SHA2 High Assurance Server CA
https://crt.sh/?id=104218573, 2016-10-28, 2019-11-06, DigiCert SHA2 High Assurance Server CA
https://crt.sh/?id=104218570, 2016-10-28, 2019-11-06, DigiCert SHA2 High Assurance Server CA
https://crt.sh/?id=104218373, 2017-01-11, 2019-04-11, DigiCert SHA2 Extended Validation Server CA
https://crt.sh/?id=104218343, 2017-01-11, 2019-03-20, DigiCert SHA2 Extended Validation Server CA
https://crt.sh/?id=104218342, 2017-01-11, 2019-03-20, DigiCert SHA2 Extended Validation Server CA
https://crt.sh/?id=104218451, 2017-01-11, 2020-04-10, DigiCert SHA2 High Assurance Server CA
https://crt.sh/?id=104218372, 2017-01-11, 2019-04-11, DigiCert SHA2 Extended Validation Server CA
https://crt.sh/?id=104218340, 2017-01-11, 2019-03-20, DigiCert SHA2 Extended Validation Server CA
https://crt.sh/?id=104218453, 2017-01-11, 2020-04-10, DigiCert SHA2 High Assurance Server CA
https://crt.sh/?id=104218371, 2017-01-11, 2019-04-11, DigiCert SHA2 Extended Validation Server CA
https://crt.sh/?id=104218449, 2017-01-11, 2020-04-10, DigiCert SHA2 High Assurance Server CA
https://crt.sh/?id=79750010, 2017-01-23, 2020-04-22, DigiCert ECC Secure Server CA
https://crt.sh/?id=104218412, 2017-01-30, 2020-04-29, DigiCert SHA2 High Assurance Server CA
https://crt.sh/?id=104218410, 2017-01-30, 2020-04-29, DigiCert SHA2 High Assurance Server CA
https://crt.sh/?id=104218408, 2017-01-30, 2020-04-29, DigiCert SHA2 High Assurance Server CA
https://crt.sh/?id=82056937, 2017-01-30, 2019-02-04, TERENA SSL High Assurance CA 3
https://crt.sh/?id=146656935, 2017-05-31, 2019-06-05, DigiCert ECC Secure Server CA
https://crt.sh/?id=307593001, 2017-06-01, 2019-01-15, DigiCert SHA2 Secure Server CA
https://crt.sh/?id=308273560, 2017-06-27, 2020-07-01, DigiCert SHA2 Secure Server CA

Asseco Data Systems S.A. (previously Unizeto Certum)
crt.sh URL, notBefore, notAfter, issuer CN
------------------------------------------
https://crt.sh/?id=983011607, 2018-11-28, 2019-11-28, Certum Organization Validation CA SHA2

These certificates are not mis-issuances in terms of the Baseline Requirements (the BRs allow P-521), but Mozilla Root Store Policy does clearly prohibit P-521, so I wanted to alert the Mozilla community to these certificates.

Thanks,
Corey

[Ryan Sleevi]

Thanks Corey for reporting these.

As you note, this policy came in to force with Policy 2.4, which as noted
in https://wiki.mozilla.org/CA/Root_Store_Policy_Archive , had a compliance
date of February 28, 2017. This was also part of a CA Communications item -
https://ccadb-public.secure.force.com/mozillacommunications/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00022,Q00029

I've opened the following bugs, based on the CAs listed:
Sectigo: https://bugzilla.mozilla.org/show_bug.cgi?id=1518553
DigiCert: https://bugzilla.mozilla.org/show_bug.cgi?id=1518555
Asseco DS / Certum: https://bugzilla.mozilla.org/show_bug.cgi?id=1518560

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>

[Jonathan Rudenberg]

On Mon, Jan 7, 2019, at 21:26, Corey Bonnell via dev-security-policy wrote:
> (Posting in a personal capacity as I am no longer employed by Trustwave)
>
> Mozilla Root Store Policy section 5.1

> (https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/)

> prohibits the use of P-521 keys in root certificates included in the
> Mozilla trust store, as well as in any certificates chaining to these
> roots. This prohibition was made very clear in the discussion on this
> list in 2017 at
> https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/7O34-DmZeC8/fsKobHABAwAJ.
>
> Below is a list of unexpired, unrevoked certificates which contain P-521
> public keys (grouped by CA Owner and ordered by notBefore):

I've created https://misissued.com/batch/43/ to track these.

[Wayne Thayer]

Thanks Corey, Ryan, and Jonathan.

In one of the bugs that Ryan created, the CA stated that it's not clear if
or when Mozilla requires revocation of these P-521 certificates. I believe
the answer is that we do not require revocation. Our policy (section 6)
explicitly requires CAs to abide by the BR revocation rules (section
4.9.1.1), but these certificates do not meet any of those requirements.

- Wayne

[Jakob Bohm]

Adding some data points for use by future readers of this thread.

On 08/01/2019 03:26, Corey Bonnell wrote:
> (Posting in a personal capacity as I am no longer employed by Trustwave)
>
> Mozilla Root Store Policy section 5.1 (https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/) prohibits the use of P-521 keys in root certificates included in the Mozilla trust store, as well as in any certificates chaining to these roots. This prohibition was made very clear in the discussion on this list in 2017 at https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/7O34-DmZeC8/fsKobHABAwAJ.
>

This is Message-Id
<mailman.277.1498571508.1...@lists.mozilla.org>
Dated 2017-Jun-27 with Subject "P-521" and starts an approximately 2
week long thread where arguments were made for and against reinstatating
P-521. Arguments were weak on both sides, but the "keep banning P-521"
side was chosen at the end.

As noted by others, the ban was checked into draft policy on 2017-Feb-20
and took effect upon publication on 2017-Feb-28 . There was no explicit
transition rule for existing certificates, thus certificates issued
before 2017-Feb-28 are presumably exempt until their normal expiry.

This one is a precertificate, the corresponding actual certificate is not listed
on crt.sh . As of a moment ago, the serial number was apparently not revoked.

The pre-certificate is marked with an EV OID apparently not trusted by Mozilla,
so an identical real certificate would presumably be treated as an ordinary OV
certificate by Firefox.

Thus it IS subject to Mozilla policy.

>
> These certificates are not mis-issuances in terms of the Baseline Requirements (the BRs allow P-521), but Mozilla Root Store Policy does clearly prohibit P-521, so I wanted to alert the Mozilla community to these certificates.
>

As this peculiar ban is Mozilla-specific, I guess it would be permitted
for such certificates to exist under a separate root from each CA,
untrusted by Mozilla, but trusted by some other browsers.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

[Jason]

I would say that the problem here would be that a child certificate can't use a higher cryptography level than the issuer, this is agains good practices and, AFAIK, agains the Webtrust audit criteria.
Jason

[Doug Beattie]

Jason - where did you see this requirement?

[jasonte...@gmail.com]

Checking this again I see that I'm probably wrong about Webtrust... Looking at 4.1.3-b:

4.1.3
CA key generation generates keys that:
a) use a key generation algorithm as disclosed within the CA’s CP and/or CPS;
b) have a key length that is appropriate for the algorithm and for the validity period of the
CA certificate as disclosed in the CA’s CP and/or CPS. The public key length to be
certified by a CA is less than or equal to that of the CA’s private signing key; and
c) take into account requirements on parent and subordinate CA key sizes and have a key
size in accordance with the CA’s CP and/or CPS.

So this is about CA Keys... Although is a bit weird that there's such a requirement for intermediate and not for leaf certificates...

[Jakob Bohm]

On 10/01/2019 15:38, Jason wrote:
> I would say that the problem here would be that a child certificate can't use a higher cryptography level than the issuer, this is agains good practices and, AFAIK, agains the Webtrust audit criteria.
> Jason
>

Note that the only one of all these certificates that I checked closely
was issued from a SubCA with an RSA key. Direct strength comparison
etween RSA and EC keys is somewhat difficult and depends on
predictions of future key breaking technology, so for some people, the
CA key was stronger than that particular P-521 EC key. (Not that this
is a requirement, see other replies).

[Peter Gutmann]

Jason via dev-security-policy <dev-secur...@lists.mozilla.org> writes:

>I would say that the problem here would be that a child certificate can't use
>a higher cryptography level than the issuer

Why not? If the issuer uses strong-enough crypto, what difference does it
make what the child uses?

Peter.

[Jakob Bohm]

Really? If the CA key is weaker than the child key, an attacker can
break the CA key and sign a fake certificate with less effort than
breaking the child key directly (for modern crypto that "easier" is
the difference between degrees of resistance to future cryptanalytic
attacks, thus often involving some guesswork).

This obviously is less effective for encryption public keys than
signature public keys, as faking a new certificate doesn't provide
access to data encrypted to the real certificate. It is also ineffective
if the certificate is checked against additional criteria than the CA
signatures, such as a strong Merkle hash tree or non-cryptographic proof
of the certificate contents.

Thus signing stronger child keys from weaker CA keys is often allowed
as a transition mechanism when a trusted root with strength n has been
widely distributed, yet there is a desire to introduce new keys with
strength m > n .

The typical way (at least in the past) is for the strength n CA key to
cross sign a strength m CA key, which is also made available as its
own root cert for future deployment, thus eventually removing the
reliance on the strength n key to validate the strength m keys.

This was seen a lot during the long transition from RSA-SHA1 to
RSA-SHA256, and some CAs may wish to prepare early for future
transitions from RSA-SHA256 and ECDSA-SHA256 to stronger algorithms.

Similarly, some users obtained end certificates based on 2048 bit RSA
back when 1024 bit RSA was the norm. Similarly situated users today
may wish to get ECDSA-P-521 or EdDSA-488 keys at a time when half as
long keys are the norm. While getting such certificates from a weaker
CA is obviously vulnerable to future attacks on the CA key, at least
this provides a safety margin where the mitigations mentioned above
are likely to be available.

[Peter Gutmann]

Jakob Bohm via dev-security-policy <dev-secur...@lists.mozilla.org> writes:

>On 11/01/2019 13:04, Peter Gutmann wrote:

>Really? If the CA key is weaker than the child key, an attacker can break
>the CA key and sign a fake certificate with less effort than breaking the
>child key directly

You've apparently missed the fact that I said "strong-enough crypto". The
attacker can't break either the issuer key or the child key, no matter how
much stronger the child key may be than the issuer.

Peter.

[Corey Bonnell]

I’d like to follow-up on this discussion with a list of another 63 unique, valid Sectigo-issued P-521 SPKI certificates that have been issued since I reported the first batch back in January. According to Sectigo [1], a patch was deployed on January 8th to prevent issuance of certificates with P-521 SPKIs, but there must have been a problem with the deployment or a regression was introduced, as all these certificates have a notBefore date of several weeks after January 8th:

Sectigo
"crt.sh URL(s)", notBefore, notAfter, "subject CN", "issuer CN"
"https://crt.sh/?id=1153301077 (precert); https://crt.sh/?id=1153303683 (final)", 2019-01-29, 2020-01-29, *.012919020120149.vfidev.com, "COMODO ECC Organization Validation Secure Server CA"
"https://crt.sh/?id=1159765604 (precert); https://crt.sh/?id=1159768069 (final)", 2019-01-30, 2020-01-30, vpn.catest.net, "Gandi Standard SSL CA 2"
"https://crt.sh/?id=1166099013 (precert); https://crt.sh/?id=1166156646 (final)", 2019-02-03, 2021-02-02, sso.aust.ae, "GlobeSSL DV Certification Authority 2"
"https://crt.sh/?id=1172672983 (precert); https://crt.sh/?id=1172675064 (final)", 2019-02-05, 2020-02-05, *.020519020223240.vfidev.com, "COMODO ECC Organization Validation Secure Server CA"
"https://crt.sh/?id=1173393341 (precert); https://crt.sh/?id=1173396153 (final)", 2019-02-05, 2020-02-05, *.020519060222541.vfidev.com, "COMODO ECC Organization Validation Secure Server CA"
"https://crt.sh/?id=1194624767 (precert); https://crt.sh/?id=1194625305 (final)", 2019-02-11, 2021-02-10, im-ec.angelo.edu, "InCommon ECC Server CA"
"https://crt.sh/?id=1194625403 (precert); https://crt.sh/?id=1194625563 (final)", 2019-02-11, 2021-02-10, im-ec.angelo.edu, "InCommon ECC Server CA"
"https://crt.sh/?id=1194625375 (precert); https://crt.sh/?id=1194625597 (final)", 2019-02-11, 2021-02-10, im-ec.angelo.edu, "InCommon ECC Server CA"
"https://crt.sh/?id=1203447331 (precert); https://crt.sh/?id=1203448393 (final)", 2019-02-14, 2020-02-14, *.021419180252278.vfidev.com, "COMODO ECC Organization Validation Secure Server CA"
"https://crt.sh/?id=1203465736 (precert); https://crt.sh/?id=1203465915 (final)", 2019-02-14, 2020-02-14, *.021419180252278.vfidev.com, "COMODO ECC Organization Validation Secure Server CA"
"https://crt.sh/?id=1221647998 (precert); https://crt.sh/?id=1221648175 (final)", 2019-02-21, 2020-02-21, *.022119020213378.vfidev.com, "COMODO ECC Organization Validation Secure Server CA"
"https://crt.sh/?id=1221642108 (precert); https://crt.sh/?id=1221644541 (final)", 2019-02-21, 2020-02-21, *.022119020213378.vfidev.com, "COMODO ECC Organization Validation Secure Server CA"
"https://crt.sh/?id=1232911110 (precert); https://crt.sh/?id=1232911335 (final)", 2019-02-26, 2020-02-26, test-september.merck.com, "COMODO ECC Organization Validation Secure Server CA"
"https://crt.sh/?id=1235318031 (precert); https://crt.sh/?id=1235318034 (final)", 2019-02-27, 2020-02-27, *.022719020237488.vfidev.com, "COMODO ECC Organization Validation Secure Server CA"
"https://crt.sh/?id=1260274146 (precert); https://crt.sh/?id=1260274133 (final)", 2019-03-07, 2020-03-06, *.030719020323283.vfidev.com, "COMODO ECC Organization Validation Secure Server CA"
"https://crt.sh/?id=1263239685 (precert); https://crt.sh/?id=1263240592 (final)", 2019-03-08, 2020-03-07, *.030819020353473.vfidev.com, "COMODO ECC Organization Validation Secure Server CA"
"https://crt.sh/?id=1282920509 (precert); https://crt.sh/?id=1282921013 (final)", 2019-03-13, 2020-03-12, kungfood.pl, "DOMENY SSL DV Certification Authority"
"https://crt.sh/?id=1283274080 (precert); https://crt.sh/?id=1283274141 (final)", 2019-03-13, 2020-03-12, is-winsec1-dev.uoregon.edu, "InCommon RSA Server CA"
"https://crt.sh/?id=1283225423 (precert); https://crt.sh/?id=1283226032 (final)", 2019-03-13, 2020-03-12, is-winsec.uoregon.edu, "InCommon RSA Server CA"
"https://crt.sh/?id=1328435939 (precert); https://crt.sh/?id=1328436096 (final)", 2019-03-29, 2021-03-28, oxfcucp01-ec-ms.miamioh.edu, "InCommon ECC Server CA"
"https://crt.sh/?id=1335173111 (precert); https://crt.sh/?id=1335173379 (final)", 2019-03-31, 2021-02-28, ealadel.com, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1335439808 (precert); https://crt.sh/?id=1335523316 (final)", 2019-03-31, 2021-02-28, ealadel.com, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1339652607 (precert); https://crt.sh/?id=1339659513 (final)", 2019-04-02, 2020-04-01, *.040219010429751.vfidev.com, "COMODO ECC Organization Validation Secure Server CA"
"https://crt.sh/?id=1341579333 (precert); https://crt.sh/?id=1341579351 (final)", 2019-04-02, 2021-04-01, oxfcucp01-ec-ms.miamioh.edu, "InCommon ECC Server CA"
"https://crt.sh/?id=1367361455 (precert); https://crt.sh/?id=1367361572 (final)", 2019-04-09, 2021-04-10, *.lifepittsburgh.org, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1372163624 (precert); https://crt.sh/?id=1372164012 (final)", 2019-04-10, 2020-11-20, biokeks.com, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1381130450 (precert); https://crt.sh/?id=1381130526 (final)", 2019-04-13, 2021-04-12, www.worselis.com, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1381124399 (precert); https://crt.sh/?id=1381123749 (final)", 2019-04-13, 2021-04-12, www.worselis.com, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1388867840 (precert); https://crt.sh/?id=1388867614 (final)", 2019-04-16, 2019-10-02, tombu.biz, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1388887321 (precert); https://crt.sh/?id=1388887663 (final)", 2019-04-16, 2019-10-02, tombu.biz, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1393506782 (precert); https://crt.sh/?id=1393508121 (final)", 2019-04-17, 2020-06-15, *.mgid.com, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1410457003 (precert); https://crt.sh/?id=1410457527 (final)", 2019-04-22, 2020-04-21, forlorn.uoregon.edu, "InCommon RSA Server CA"
"https://crt.sh/?id=1414114703 (precert); https://crt.sh/?id=1414115661 (final)", 2019-04-24, 2021-04-23, firewall.chickenfriedbacon.com, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1434701068 (precert); https://crt.sh/?id=1434701046 (final)", 2019-05-01, 2021-05-15, *.kerner.fr, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1436840840 (precert); https://crt.sh/?id=1436852440 (final)", 2019-05-02, 2021-05-01, mon1.int.gns.ovh.net, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1436072362 (precert); https://crt.sh/?id=1436074225 (final)", 2019-05-02, 2020-05-01, is-wec2.ad.uoregon.edu, "InCommon RSA Server CA"
"https://crt.sh/?id=1437643846 (precert); https://crt.sh/?id=1437641121 (final)", 2019-05-02, 2021-05-01, sslvpn.rosenhotels.com, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1437648867 (precert); https://crt.sh/?id=1437648968 (final)", 2019-05-02, 2020-05-01, is-wec2.ad.uoregon.edu, "InCommon RSA Server CA"
"https://crt.sh/?id=1439807169 (precert); https://crt.sh/?id=1439808054 (final)", 2019-05-03, 2019-08-01, cfwww.ausunny.org, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1444671300 (precert); https://crt.sh/?id=1444671337 (final)", 2019-05-06, 2020-05-05, is-camper.ad.uoregon.edu, "InCommon RSA Server CA"
"https://crt.sh/?id=1459393199 (precert); https://crt.sh/?id=1459393360 (final)", 2019-05-11, 2020-05-10, cryptostorm.ch, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1482259813 (precert); https://crt.sh/?id=1482259871 (final)", 2019-05-17, 2020-05-16, is-obgw-test1.ad.uoregon.edu, "InCommon RSA Server CA"
"https://crt.sh/?id=1502005938 (precert); https://crt.sh/?id=1502005820 (final)", 2019-05-23, 2020-08-14, testwebservice.performancedirect.co.uk, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1505411256 (precert); https://crt.sh/?id=1505411385 (final)", 2019-05-24, 2021-06-07, webdev.netmanagement.net, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1519285579 (precert); https://crt.sh/?id=1519285637 (final)", 2019-05-28, 2020-07-30, shop.pier28.com, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1522057120 (precert); https://crt.sh/?id=1522056056 (final)", 2019-05-29, 2021-05-28, caojiefeng.com, "TrustOcean SSL CA - ECC - 2018"
"https://crt.sh/?id=1541037665 (precert); https://crt.sh/?id=1541037327 (final)", 2019-06-04, 2021-06-03, bi44.business.unc.edu, "InCommon ECC Server CA"
"https://crt.sh/?id=1552447969 (precert); https://crt.sh/?id=1552449107 (final)", 2019-06-07, 2020-06-06, testing.ecc.p521.fisglobal.com, "Sectigo ECC Organization Validation Secure Server CA"
"https://crt.sh/?id=1565405135 (precert); https://crt.sh/?id=1565406167 (final)", 2019-06-11, 2019-11-05, readsingcry.com, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1572486672 (precert); https://crt.sh/?id=1572486913 (final)", 2019-06-13, 2021-06-12, sga.vc, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1575955817 (precert); https://crt.sh/?id=1575955838 (final)", 2019-06-14, 2020-06-13, auth0-emea.com, "GoGetSSL ECC DV CA"
"https://crt.sh/?id=1584146347 (precert); https://crt.sh/?id=1584146464 (final)", 2019-06-16, 2021-06-15, ldaps.azure.goodeast.com, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1592686468 (precert); https://crt.sh/?id=1592686459 (final)", 2019-06-19, 2019-09-17, multi-vpn.biz, "GoGetSSL ECC DV CA"
"https://crt.sh/?id=1592751184 (precert); https://crt.sh/?id=1592751748 (final)", 2019-06-19, 2019-09-17, multi-vpn.biz, "GoGetSSL ECC DV CA"
"https://crt.sh/?id=1595507138 (precert); https://crt.sh/?id=1595507410 (final)", 2019-06-20, 2020-06-20, staging.fundermaps.com, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1599162443 (precert); https://crt.sh/?id=1599162930 (final)", 2019-06-21, 2020-06-21, braynz.neuromarketingonline.nl, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1612604628 (precert); https://crt.sh/?id=1612604678 (final)", 2019-06-25, 2020-06-24, rbl.net, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1611769555 (precert); https://crt.sh/?id=1611769818 (final)", 2019-06-25, 2021-06-24, *.iris.darktrace.com, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1617907696 (precert); https://crt.sh/?id=1618009379 (final)", 2019-06-28, 2021-06-27, ngv01.acma.gov.au, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1632091441 (precert); https://crt.sh/?id=1632092971 (final)", 2019-07-02, 2020-07-01, *.070219010722711.vfidev.com, "COMODO ECC Organization Validation Secure Server CA"
"https://crt.sh/?id=1645553653 (precert); https://crt.sh/?id=1645553835 (final)", 2019-07-06, 2020-07-05, *.xtcare.net, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1652685175 (precert); https://crt.sh/?id=1652685481 (final)", 2019-07-09, 2020-10-06, www.autohaus-roell.de, "Sectigo ECC Domain Validation Secure Server CA"
"https://crt.sh/?id=1675123495 (precert); https://crt.sh/?id=1675123804 (final)", 2019-07-16, 2020-07-15, is-obgw-prod1.ad.uoregon.edu, "InCommon RSA Server CA"

Thanks,
Corey

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1518553#c3