Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
答复: Certificate Problem Report (9WG: CFCA certificate with invalid domain)
219 views
Skip to first unread message
孙圣男
Feb 28, 2019, 10:57:04 PM2/28/19
to mozilla-dev-s...@lists.mozilla.org, r...@cfca.com.cn
Dear Mozilla:
This problem had been confirmed. We contacted the customer and
confirmed this certificate haven't been deployed to production system, no
damage is caused. This certificate had been revoked in March 1, 2019. We had
fixed this bug in February 27 update.
Best wishes!
Jonathan Sun
Certificate Product Manager
International Coperation Group
Tel: +86 010 80864127
-----邮件原件-----
发件人: Buschart, Rufus <rufus.b...@siemens.com>
发送时间: 2019年2月28日 19:00
收件人: r...@cfca.com.cn
主题: Certificate Problem Report (9WG: CFCA certificate with invalid domain)
Dear PKI team at CFCA!
There is a misissued certificate
https://crt.sh/?id=1231965201&opt=cablint,x509lint,zlin from your CA which
is not revoked yet. I think you should have a look.
With best regards,
Rufus Buschart
Siemens AG
Information Technology
Human Resources
PKI / Trustcenter
GS IT HR 7 4
Hugo-Junkers-Str. 9
90411 Nuernberg, Germany
Tel.: +49 1522 2894134
mailto:rufus.b...@siemens.com
www.twitter.com/siemens
www.siemens.com/ingenuityforlife
Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann
Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive
Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel, Cedrik
Neike, Michael Sen, Ralf P. Thomas; Registered offices: Berlin and Munich,
Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich,
HRB 6684; WEEE-Reg.-No. DE 23691322
> -----Ursprüngliche Nachricht-----
> Von: dev-security-policy
> <dev-security-...@lists.mozilla.org> Im Auftrag von
> michel.lebihan2000--- via dev-security-policy
> Gesendet: Mittwoch, 27. Februar 2019 08:54
> An: mozilla-dev-s...@lists.mozilla.org
> Betreff: CFCA certificate with invalid domain
>
> Hello,
>
> I noticed this certificate
> https://crt.sh/?id=1231965201&opt=cablint,x509lint,zlint that has an
> invalid domain `mail.xinhua08.con` in SANs. This looks like a typo and
`mail.xinhua08.com` is present in other certificates. Such an issue makes me
wonder about the quality of their validation.
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
This problem had been confirmed. We contacted the customer and
confirmed this certificate haven't been deployed to production system, no
damage is caused. This certificate had been revoked in March 1, 2019. We had
fixed this bug in February 27 update.
Best wishes!
Jonathan Sun
Certificate Product Manager
International Coperation Group
Tel: +86 010 80864127
-----邮件原件-----
发件人: Buschart, Rufus <rufus.b...@siemens.com>
发送时间: 2019年2月28日 19:00
收件人: r...@cfca.com.cn
主题: Certificate Problem Report (9WG: CFCA certificate with invalid domain)
Dear PKI team at CFCA!
There is a misissued certificate
https://crt.sh/?id=1231965201&opt=cablint,x509lint,zlin from your CA which
is not revoked yet. I think you should have a look.
With best regards,
Rufus Buschart
Siemens AG
Information Technology
Human Resources
PKI / Trustcenter
GS IT HR 7 4
Hugo-Junkers-Str. 9
90411 Nuernberg, Germany
Tel.: +49 1522 2894134
mailto:rufus.b...@siemens.com
www.twitter.com/siemens
www.siemens.com/ingenuityforlife
Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann
Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive
Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel, Cedrik
Neike, Michael Sen, Ralf P. Thomas; Registered offices: Berlin and Munich,
Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich,
HRB 6684; WEEE-Reg.-No. DE 23691322
> -----Ursprüngliche Nachricht-----
> Von: dev-security-policy
> <dev-security-...@lists.mozilla.org> Im Auftrag von
> michel.lebihan2000--- via dev-security-policy
> Gesendet: Mittwoch, 27. Februar 2019 08:54
> An: mozilla-dev-s...@lists.mozilla.org
> Betreff: CFCA certificate with invalid domain
>
> Hello,
>
> I noticed this certificate
> https://crt.sh/?id=1231965201&opt=cablint,x509lint,zlint that has an
> invalid domain `mail.xinhua08.con` in SANs. This looks like a typo and
`mail.xinhua08.com` is present in other certificates. Such an issue makes me
wonder about the quality of their validation.
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
Paul Kehrer
Feb 28, 2019, 11:23:08 PM2/28/19
to mozilla-dev-s...@lists.mozilla.org
Hi Jonathan,
When something like this occurs the Mozilla community asks for an incident
report explaining how the incident occurred, what was done to remediate it,
and what procedures and technical controls have been put in place to
prevent a future recurrence of the problem. You can see documentation about
that here: https://wiki.mozilla.org/CA/Responding_To_An_Incident
I am very interested in knowing how your registration authority
infrastructure allowed an invalid (and unaudited) SAN to be issued.
(Note that I am not a Mozilla representative, merely a member of the
community who has seen many incident reports)
-Paul
On March 1, 2019 at 11:57:05 AM, 孙圣男 via dev-security-policy (
When something like this occurs the Mozilla community asks for an incident
report explaining how the incident occurred, what was done to remediate it,
and what procedures and technical controls have been put in place to
prevent a future recurrence of the problem. You can see documentation about
that here: https://wiki.mozilla.org/CA/Responding_To_An_Incident
I am very interested in knowing how your registration authority
infrastructure allowed an invalid (and unaudited) SAN to be issued.
(Note that I am not a Mozilla representative, merely a member of the
community who has seen many incident reports)
-Paul
On March 1, 2019 at 11:57:05 AM, 孙圣男 via dev-security-policy (
David E. Ross
Mar 1, 2019, 3:55:43 PM3/1/19
to mozilla-dev-s...@lists.mozilla.org
message originally reporting any problem indicated that more than one
certificate was affected. Please describe how many certificates were
actually affected. If indeed more than one was affected, explain why
only one was revoked.
Wayne Thayer
Mar 4, 2019, 4:11:19 PM3/4/19
to mozilla-dev-security-policy
I've created https://bugzilla.mozilla.org/show_bug.cgi?id=1532429 to track
this incident.
On Fri, Mar 1, 2019 at 1:55 PM David E. Ross via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
> On 2/28/2019 7:45 PM, 孙圣男 wrote:
this incident.
On Fri, Mar 1, 2019 at 1:55 PM David E. Ross via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
> On 2/28/2019 7:45 PM, 孙圣男 wrote:
> This message indicates one certificate was revoked. However, the
> message originally reporting any problem indicated that more than one
> certificate was affected. Please describe how many certificates were
> actually affected. If indeed more than one was affected, explain why
> only one was revoked.
> message originally reporting any problem indicated that more than one
> certificate was affected. Please describe how many certificates were
> actually affected. If indeed more than one was affected, explain why
> only one was revoked.
0 new messages