info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Tidying up broken/duplicate CCADB disclosures - SwissSign
93 views
Skip to first unread message
Rob Stradling
Jan 4, 2017, 7:34:59 AM1/4/17
to Kathleen Wilson, mozilla-dev-s...@lists.mozilla.org
Hi Kathleen. Happy New Year! This is the first of several messages
I've been meaning to get around to writing for a month or two...
There are a number of broken and/or duplicate intermediate certificate
disclosure records in the CCADB. It'd be really great if you could
investigate and look into taking appropriate action to tidy them up.
1. Summary: Corrupted certificate signatures - SwissSign
Description: https://crt.sh/mozilla-disclosures#unknown shows 4
disclosures for which the PEM certificate data is broken: the
certificate signatures are empty and the TBSCertificate.signature
algorithm OIDs are set to 0.0 !
Cross-checking certificate serial numbers and CCADB Certificate IDs
suggests that these 4 broken disclosures might be corrupted duplicates
of valid disclosures. The 4 broken records are:
a. CertName: Trend Micro Gold CA
Issuer: SwissSign Gold CA - G2
CCADB URL: https://mozillacacommunity.force.com/001o000000xNwKs
b. CertName: AffirmTrust Networking
Issuer: SwissSign Silver CA - G2
CCADB URL: https://mozillacacommunity.force.com/001o000000xNLig
c. CertName: DOUGLAS Group CA - G1
Issuer: SwissSign Silver CA - G2
CCADB URL: https://mozillacacommunity.force.com/001o000000xNPUS
d. CertName: Trend Micro Silver CA
Issuer: SwissSign Silver CA - G2
CCADB URL: https://mozillacacommunity.force.com/001o000000xNw2G
Can you explain why the CCADB allowed these records to be created? (I
would expect CCADB to check the signature on each submitted intermediate
cert!)
The notBefore/notAfter dates in some of these broken PEM certs don't
match the notBefore/notAfter dates in the valid disclosure records that
have the same CCADB Certificate IDs. I don't know if this is due to (a)
data entry error or if (b) SwissSign have (mis)issued intermediates with
duplicate serial numbers. (Hopefully it's (a) !)
The responses to the May 2014 CA Communication [1] led me to [2], but I
could not find any of the broken or valid certs there.
[1]
https://docs.google.com/spreadsheets/d/1v-Lrxo6mYlyrEli_wSpLsHZvV5dJ_vvSzLTAMfxI5n8/pubhtml
[2] https://swisssign.net/cgi-bin/authority/download
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
I've been meaning to get around to writing for a month or two...
There are a number of broken and/or duplicate intermediate certificate
disclosure records in the CCADB. It'd be really great if you could
investigate and look into taking appropriate action to tidy them up.
1. Summary: Corrupted certificate signatures - SwissSign
Description: https://crt.sh/mozilla-disclosures#unknown shows 4
disclosures for which the PEM certificate data is broken: the
certificate signatures are empty and the TBSCertificate.signature
algorithm OIDs are set to 0.0 !
Cross-checking certificate serial numbers and CCADB Certificate IDs
suggests that these 4 broken disclosures might be corrupted duplicates
of valid disclosures. The 4 broken records are:
a. CertName: Trend Micro Gold CA
Issuer: SwissSign Gold CA - G2
CCADB URL: https://mozillacacommunity.force.com/001o000000xNwKs
b. CertName: AffirmTrust Networking
Issuer: SwissSign Silver CA - G2
CCADB URL: https://mozillacacommunity.force.com/001o000000xNLig
c. CertName: DOUGLAS Group CA - G1
Issuer: SwissSign Silver CA - G2
CCADB URL: https://mozillacacommunity.force.com/001o000000xNPUS
d. CertName: Trend Micro Silver CA
Issuer: SwissSign Silver CA - G2
CCADB URL: https://mozillacacommunity.force.com/001o000000xNw2G
Can you explain why the CCADB allowed these records to be created? (I
would expect CCADB to check the signature on each submitted intermediate
cert!)
The notBefore/notAfter dates in some of these broken PEM certs don't
match the notBefore/notAfter dates in the valid disclosure records that
have the same CCADB Certificate IDs. I don't know if this is due to (a)
data entry error or if (b) SwissSign have (mis)issued intermediates with
duplicate serial numbers. (Hopefully it's (a) !)
The responses to the May 2014 CA Communication [1] led me to [2], but I
could not find any of the broken or valid certs there.
[1]
https://docs.google.com/spreadsheets/d/1v-Lrxo6mYlyrEli_wSpLsHZvV5dJ_vvSzLTAMfxI5n8/pubhtml
[2] https://swisssign.net/cgi-bin/authority/download
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
0 new messages