On 03/19/2015 01:01 PM, Peter Bowen wrote:
> On Wed, Mar 18, 2015 at 12:40 PM, Kathleen Wilson <
kwi...@mozilla.com> wrote:
>> I propose removing the following root cert from NSS, due to inadequate audit
>> statements.
>>
>> Issuer:
>> CN = e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi
>> O = Elektronik Bilgi Guvenligi A.S.
>> C = TR
>
> In the Pilot CT log, which includes every certificate that the Google
> crawler has seen, I found 19 unexpired certificates issued by this CA.
> Their subjects are as follows (using the default OpenSSL DN to string
> method):
...
> Subject: C=TR, ST=Dazk\xC4\xB1r\xC4\xB1, L=Afyon,
> O=Dazk\xC4\xB1r\xC4\xB1, OU=Dazk\xC4\xB1r\xC4\xB1 Belediyesi,
> CN=
online.dazkiri.bel.tr
More on this certificate (reproduced as PEM following the rest of this
message):
* it has no subject alternative name extension
* the OCSP responder returns "unknown" as its status
* it has a 1024-bit RSA key
Looking at another certificate (Subject: C=TR, ST=Istanbul, L=Istanbul,
O=Eczacibasi Bilisim San. ve Tic. A.S., OU=Altyapi ve Teknoloji
Hizmetleri, CN=*.
ebi.com.tr/emailAddress=in...@ebi.com.tr):
* it also has no subject alternative name extension
* the OCSP responder also returns "unknown" as its status
* it was signed with sha1WithRSAEncryption despite expiring after 1
January 2017
...
> Given this ratio, I find it very hard to believe that they would be
> able to receive an audit report without qualifications that Mozilla
> would deem unacceptable.
Maybe I'm misinterpreting what you're saying, but did you mean
"acceptable" here?
Cheers,
David
PEM for CN=
online.dazkiri.bel.tr:
-----BEGIN CERTIFICATE-----
MIIETDCCAzSgAwIBAgIRAI+EB2HpuvSdeuy5EvlUiDMwDQYJKoZIhvcNAQEFBQAw
dTELMAkGA1UEBhMCVFIxKDAmBgNVBAoTH0VsZWt0cm9uaWsgQmlsZ2kgR3V2ZW5s
aWdpIEEuUy4xPDA6BgNVBAMTM2UtR3V2ZW4gS29rIEVsZWt0cm9uaWsgU2VydGlm
aWthIEhpem1ldCBTYWdsYXlpY2lzaTAeFw0xNDExMTgxMDU5MDZaFw0xNTExMTgx
MDU5MDZaMIGEMQswCQYDVQQGEwJUUjESMBAGA1UECAwJRGF6a8SxcsSxMQ4wDAYD
VQQHEwVBZnlvbjESMBAGA1UECgwJRGF6a8SxcsSxMR0wGwYDVQQLDBREYXprxLFy
xLEgQmVsZWRpeWVzaTEeMBwGA1UEAxMVb25saW5lLmRhemtpcmkuYmVsLnRyMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2rFTFdnka6opmFqtW/GbqP9oWS9Ki
nmDPfh31eOr7niG1Eowzi96JUgACSNLpN85+2P+2Tqn36rW6+udcjKZL42K5ZD6G
SqGb5dBlhCb6uf+iGTl3y5Tl6TRhgWltQ6o+rJZpgm9gL0tKyYinB8exg4H7vapN
2rlzCJxOsvBSGQIDAQABo4IBSTCCAUUwdQYIKwYBBQUHAQEEaTBnMC4GCCsGAQUF
BzABhiJodHRwOi8vb2NzcDIuZS1ndXZlbi5jb20vb2NzcC54dWRhMDUGCCsGAQUF
BzAChilodHRwOi8vd3d3LmUtZ3V2ZW4uY29tL2RvY3VtZW50cy9LT0syLmNydDAT
BgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAwEQYJYIZIAYb4QgEB
BAQDAgbAMB8GA1UdIwQYMBaAFJ/uRLOU1fqRTy7ZVZoEVtstxNulMFQGA1UdHwRN
MEswSaBHoEWGQ2h0dHA6Ly9zaWwuZS1ndXZlbi5jb20vRWxla3Ryb25pa0JpbGdp
R3V2ZW5saWdpQVNSb290L0xhdGVzdENSTC5jcmwwHQYDVR0OBBYEFJNe50spvhUt
HUbMbqMFGDfF0qTyMA0GCSqGSIb3DQEBBQUAA4IBAQBeXAvJIwskIjCI+rP0QK7P
9PwmckqNs+D8SgCpyS/Q9G37iD6E4KjaW/VTdoorkITs8kjnZrynymRBRcmqVcyp
lRzOpVVkT2av6Brg0Z+iB/VMjNiG98QIHSo8N+n1dt7vAAiqZaLlywZngum/U6Xj
IOz/22nWrqMxsx9VPUkXsLiroir29P7061FlffEBMCsSI0Yjh8KiU+RVEZt2lZ0F
MHhtRvL4fnC68B7N5P31bIQGcX5Wwz59FBRieVZuiZkQ4YdBfJgb84DP/JSJg184
QKMPHacmlrLVcyJuvOboep2PRTpdmrP/O4Rsw/nI63ZhvEksq04up2BBA6gAqW1z
-----END CERTIFICATE-----
PEM for CN=*.
ebi.com.tr:
-----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgIQTjVOvxHxokEvhXt2QlK3YTANBgkqhkiG9w0BAQUFADB1
MQswCQYDVQQGEwJUUjEoMCYGA1UEChMfRWxla3Ryb25payBCaWxnaSBHdXZlbmxp
Z2kgQS5TLjE8MDoGA1UEAxMzZS1HdXZlbiBLb2sgRWxla3Ryb25payBTZXJ0aWZp
a2EgSGl6bWV0IFNhZ2xheWljaXNpMB4XDTE1MDMxMjEzMzIwM1oXDTE3MDMxMjEz
MzIwM1owgcMxCzAJBgNVBAYTAlRSMREwDwYDVQQIEwhJc3RhbmJ1bDERMA8GA1UE
BxMISXN0YW5idWwxLTArBgNVBAoTJEVjemFjaWJhc2kgQmlsaXNpbSBTYW4uIHZl
IFRpYy4gQS5TLjEoMCYGA1UECxMfQWx0eWFwaSB2ZSBUZWtub2xvamkgSGl6bWV0
bGVyaTEVMBMGA1UEAxMMKi5lYmkuY29tLnRyMR4wHAYJKoZIhvcNAQkBFg9pbmZv
QGViaS5jb20udHIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCy1Avc
JkCv3XCSB3XVs1EZ79ZByBfwSOMl4Uh/gSpgmIp/lW095zPHuAHBfDtre5BmRe3N
92wrCa+vq7j97mgwf+G32GzUs2XzNLJPxgdOgeAa5j+sJa/m+udgJ3X7WpArFoYG
5Kotnw/ZzGFFz4uByPgIA+m+4v3m7BuOgVgpxz/jxmw8e/d3svj/t55D8faHxYG9
tMbkR/FGAfZ9jczz3meq+7wtEY3mEBwmuy82x7I2bjyleE+n/yM+FQpeaoKwFdrc
6VWJu1RXtcYACuC6fk6vTL8GiSoUhkjoGmBmN/pljNtoceU7XXKKCAL9SdaQCBfC
encyJJetXUZ+1JsNAgMBAAGjggFJMIIBRTB1BggrBgEFBQcBAQRpMGcwLgYIKwYB
BQUHMAGGImh0dHA6Ly9vY3NwMi5lLWd1dmVuLmNvbS9vY3NwLnh1ZGEwNQYIKwYB
BQUHMAKGKWh0dHA6Ly93d3cuZS1ndXZlbi5jb20vZG9jdW1lbnRzL0tPSzIuY3J0
MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIFoDARBglghkgBhvhC
AQEEBAMCBsAwHwYDVR0jBBgwFoAUn+5Es5TV+pFPLtlVmgRW2y3E26UwVAYDVR0f
BE0wSzBJoEegRYZDaHR0cDovL3NpbC5lLWd1dmVuLmNvbS9FbGVrdHJvbmlrQmls
Z2lHdXZlbmxpZ2lBU1Jvb3QvTGF0ZXN0Q1JMLmNybDAdBgNVHQ4EFgQUMS6OF6ng
nRVKM/AS9npoz6NahIswDQYJKoZIhvcNAQEFBQADggEBAICzA+K2Qne6px4/Fxhy
AI0aCQDf2Z75hFNc0Agi0QdYzYnZYU98+3WmTbnpExVxCq/mX9MVvatZ9AOyRTm+
zrUKFjAz8FSzTK6HA//o21rUONQk57pYTqy7qB5PHkN7NIthmXcC4gDoGl4D293A
w2CNdZlPmiAUYpUPwiQ1OwrfNa0YajRwlD1biBJZWGrymLVVLAxRjV33a5ecuxJM
c7eCJEJj0GDssHbmI96qqXgMRbNkVLiPJxNEIkEoMS1vvv6GPgNRasaDOlffoljM
7VQKW+xuI18hJQKbLu97dWLfVU5PprlHbZ5HL0woIj9ppxoDi0BsbY4OO9DBHmH4
KBo=
-----END CERTIFICATE-----