Hello Kathleen,
we revoked all SHA-1 certificates issued this year:
00a5401e9bafb23523 (Tuesday, February 2, 2016, 11:35:53)
009d79636c84ece62a (Tuesday, February 2, 2016, 11:37:25)
008e6c17cd66006c11 (Tuesday, February 2, 2016, 11:38:45)
2318da5c1485012e (Friday, January 29, 2016, 12:37:36)
6dfb9ccc0c5333c6 (Friday, January 29, 2016, 15:10:30)
7d5e244530e38c13 (Friday, January 29, 2016, 13:54:00)
00bdcda1e1e9b358e8 (Friday, January 29, 2016, 13:55:09)
008ab83981f725ff48 (Friday, January 29, 2016, 13:57:51)
The corresponding CRL:
http://crl.sbca.telesec.de/rl/Shared_Business_CA_3.crl
Best regards,
Bernd
T-Systems International GmbH
Trust Center Applications
-----Ursprüngliche Nachricht-----
Von: dev-security-policy [mailto:
dev-security-policy-bounces+bernd.nakonzer=
t-syst...@lists.mozilla.org] Im Auftrag von Kathleen Wilson
Gesendet: Freitag, 29. Januar 2016 22:44
An:
mozilla-dev-s...@lists.mozilla.org
Betreff: Re: SHA1 certs issued this year chaining to included roots
On 1/25/16 12:22 AM, Charles Reiss wrote:
> On 01/19/16 01:49, Charles Reiss wrote:
>> Via
censys.io, I found a couple SHA-1 certs with notBefore dates from
>> this year which chain to root CAs in Mozilla's program:
> [snip]
>
> And here are a couple more, from different subCAs:
>
> -
https://crt.sh/?id=12131821 -- chaining to Deutsche Telekom Root CA
> 2 [T-Systems] via subCA "Shared Business CA 3"
>
I received email from Bernd of T-Systems saying that from 1 January 2016, 8 SHA‐1 subscriber certificates (SSL) were issued via sub-CA "Shared Business CA 3" (chaining to “Deutsche Telekom Root CA 2”) – because of converging use cases. Other T-Systems CAs were not affected.
The problem has been fixed, so SHA-1 certs can no longer be issued.
The 8 certs will be revoked on February 5 and the corresponding CRL will be updated/published.
Thanks,
Kathleen