Closed
Bug 1029884
Opened 11 years ago
Closed 8 years ago
StartCom: duplicate serial numbers
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: kurt, Assigned: eddy_nigg)
References
Details
(Whiteboard: BR Compliance)
I have about 30 cases of certificates from StartCom where the same serial number is used for multiple certificates.
|
||
Updated•11 years ago
|
|
Reporter | |
Comment 1•11 years ago
|
||
Hi Eddy.
It's been a month since I reported this and I didn't get any feedback from you yet. I find this to be a very serious issue and hope to hear from you soon.
Kurt
|
Assignee | |
Comment 2•11 years ago
|
||
Hi Kurt,
Can you provide with the list of the certificates you found?
|
|
||
Updated•11 years ago
|
Flags: needinfo?(kurt)
|
|
Reporter | |
Comment 3•11 years ago
|
||
I provided this information off the bug some time ago already.
Flags: needinfo?(kurt)
|
|
||
Comment 4•11 years ago
|
||
Thanks, Kurt. Eddy - what news?
Gerv
Almost three months after the CA has been made aware of this issue, I think it's about time to at least publicly confirm this BR violation (Kurt didn't make it up, definitely, and I agree with his assessment in comment 1). So here's an example from May 2014:
-----BEGIN CERTIFICATE-----
MIIGQTCCBSmgAwIBAgIDEJ/DMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTQwNTIxMDk1MzMy
WhcNMTUwNTIyMTM1MTM3WjBIMQswCQYDVQQGEwJGUjETMBEGA1UEAxMKaW1pcmhp
bC5mcjEkMCIGCSqGSIb3DQEJARYVcG9zdG1hc3RlckBpbWlyaGlsLmZyMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxvxnGqnlUMP6ApEcFCgpxbgjHL50
GPBaugbKKo9y36M3wpVLgdV76qqVMezpvJdL3Ay5M/CwQNK8WSb7z6Q9EKbwzIWP
bnEaVy9U+cmSEwsO4cDFyW/CzP+yZx4cCKUO01gCamap52YrHNi7TqgdRjs2Aebt
68S9tzDpLYkSO6meNalXcQc0LcE7xqkYBTY6bi6i0UEYgOqQKeyl5c4k2WclskdI
gSeSpDO9f6nFCW2WVn/iVeq6pPYK4YyjiOsCjKO+wZh4kgAh2fHW6JgvL48mXg9s
sb9iCB7495mY5NF+js2SqFwYu7njznsUh1pTyH4xNKTwysIbq69cKQ5B7QIDAQAB
o4IC7TCCAukwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwEwYDVR0lBAwwCgYIKwYB
BQUHAwEwHQYDVR0OBBYEFKZz4QIBkXnMuLXcqqUhXa/WuMpnMB8GA1UdIwQYMBaA
FOtCNNCYsKuf9BtrCPfMZC7vDixFMDMGA1UdEQQsMCqCCmltaXJoaWwuZnKCCmlt
aXJoaWwuZnKCEHN0YXRzLmltaXJoaWwuZnIwggFWBgNVHSAEggFNMIIBSTAIBgZn
gQwBAgEwggE7BgsrBgEEAYG1NwECAzCCASowLgYIKwYBBQUHAgEWImh0dHA6Ly93
d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwgfcGCCsGAQUFBwICMIHqMCcWIFN0
YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRp
ZmljYXRlIHdhcyBpc3N1ZWQgYWNjb3JkaW5nIHRvIHRoZSBDbGFzcyAxIFZhbGlk
YXRpb24gcmVxdWlyZW1lbnRzIG9mIHRoZSBTdGFydENvbSBDQSBwb2xpY3ksIHJl
bGlhbmNlIG9ubHkgZm9yIHRoZSBpbnRlbmRlZCBwdXJwb3NlIGluIGNvbXBsaWFu
Y2Ugb2YgdGhlIHJlbHlpbmcgcGFydHkgb2JsaWdhdGlvbnMuMDUGA1UdHwQuMCww
KqAooCaGJGh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL2NydDEtY3JsLmNybDCBjgYI
KwYBBQUHAQEEgYEwfzA5BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3RhcnRzc2wu
Y29tL3N1Yi9jbGFzczEvc2VydmVyL2NhMEIGCCsGAQUFBzAChjZodHRwOi8vYWlh
LnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MxLnNlcnZlci5jYS5jcnQwIwYD
VR0SBBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBCwUA
A4IBAQBwJQjBOX9MIbwENm5wzQ7E347iIYSWFn3Ph1XCcIqa9bfOArTdd4MvNZLj
Wu4cUwaPot+upcQAx5K2K0U9Y3ce2OJMrt5HoF8MTDWAW9ZtutxIdAIlnclXerDm
m+8q0oFImG5+pTK5HnZE1DDRbOCSRKwDpRDsjdL27ZUB7ZfSWEuw3zkcSWzQSEpM
7LZfz78w+SY9JS/9FMpSkXdo8o/XO14uLkIyurR5jYDcSIZtKXj6/FeuRj402BDc
2p7FANGJOEpBrkzSx6U8QJ5McoLRGywKMBJbdw6Eehbq50FpLtdMsUz3hQf9nnpl
i2qVBtCpPRR6C4MHkrfv+IYupyAx
-----END CERTIFICATE-----
(configured at stats.imirhil.fr:443 right now)
-----BEGIN CERTIFICATE-----
MIIGXjCCBUagAwIBAgIDEJ/DMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTQwNTIxMTU0MjU4
WhcNMTUwNTIxMTc1MTQyWjBtMRkwFwYDVQQNExB6MlkxNTE4bjRrZ2NsQ3ptMQsw
CQYDVQQGEwJERTEaMBgGA1UEAxMRd3d3LnF1b3RlbWV0YS5vcmcxJzAlBgkqhkiG
9w0BCQEWGHBvc3RtYXN0ZXJAcXVvdGVtZXRhLm9yZzCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAKPRL9u8yC8GgEAyxKi8wjOvPBivt6uSN841lFQ00t02
k3z/4/VoxHHBRpKMs1stnLJm7OZcIPyPJZfm8Fk+aX2cb0j+wLy6tk5LFhiDWj1H
oFSsztwzrnq/+EA+JT9AJhOBoufDfUJ55Ps/Cu4+7vwjbh7kJq3oAmUmovDcaTRT
4zitbeHs71nyDWI1VgjjrVeypDBvzEr0ELoERq1nEhWZfMq9QS6udkazVpXl6G3M
0PzOEsRtwTLux54EA7TCEZNLHa8xF/cgNq462k6AQfy8PpLeVz9ezG23LQLJuMgB
XiZHlHFKIiUsiILfkLSNm1AmtGZYl0wtUq3F2NC5750CAwEAAaOCAuUwggLhMAkG
A1UdEwQCMAAwCwYDVR0PBAQDAgOoMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1Ud
DgQWBBSGu+BtDki0HV4nadrZMa1j7KeLaDAfBgNVHSMEGDAWgBTrQjTQmLCrn/Qb
awj3zGQu7w4sRTArBgNVHREEJDAighF3d3cucXVvdGVtZXRhLm9yZ4INcXVvdGVt
ZXRhLm9yZzCCAVYGA1UdIASCAU0wggFJMAgGBmeBDAECATCCATsGCysGAQQBgbU3
AQIDMIIBKjAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9s
aWN5LnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNhdGlv
biBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBh
Y2NvcmRpbmcgdG8gdGhlIENsYXNzIDEgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMg
b2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhl
IGludGVuZGVkIHB1cnBvc2UgaW4gY29tcGxpYW5jZSBvZiB0aGUgcmVseWluZyBw
YXJ0eSBvYmxpZ2F0aW9ucy4wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5z
dGFydHNzbC5jb20vY3J0MS1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsG
AQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMS9zZXJ2
ZXIvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRz
L3N1Yi5jbGFzczEuc2VydmVyLmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3
LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBAI0DboBmQbHgB9R/9b/H
eAWwxUU68QQJGUzBKgMbvLtPXNm1Rzqc7UnySquf7ZlRCkVrrrqD8Cs8hPVcbjzv
n9xWpJmq3CPuF2+8okd/QBHOgIPBTMe7CGqokuute47GucWAiJji2A67ZZvdzWMH
QaEqlzEyMPAT1VqxGzEatyaWXQE0cH4Bda9jmDmg+rRbLPPPUxBKmEw9t+h/b3sN
Gnku28F1BdvGbiu1BdDmoSUshb7pnQK9iAYbkpqD9CECENJCK9Y7KZv1iAZItGUJ
9dQbkRDbxokU2Q2lcD/I62ooi1NEtSgevvDmdp3Xxb/lqsyb3BYm66SyZ+IXe3eP
mRQ=
-----END CERTIFICATE-----
(configured at quotemeta.org:443 right now)
And serial number 0x109fc3 from the "StartCom Class 1 Primary Intermediate Server CA" is currently unrevoked:
-----BEGIN OCSP RESPONSE-----
MIIGRQoBAKCCBj4wggY6BgkrBgEFBQcwAQEEggYrMIIGJzCB66FwMG4xCzAJBgNV
BAYTAklMMTEwLwYDVQQKEyhTdGFydENvbSBMdGQuIChTdGFydCBDb21tZXJjaWFs
IExpbWl0ZWQpMSwwKgYDVQQDEyNTdGFydENvbSBDbGFzcyAxIFNlcnZlciBPQ1NQ
IFNpZ25lchgPMjAxNDA5MjExMDUxMzdaMGYwZDA8MAkGBSsOAwIaBQAEFGVoh09A
dQ8BajR1Yl4fXJPlom1YBBTrQjTQmLCrn/Qbawj3zGQu7w4sRQIDEJ/DgAAYDzIw
MTQwOTIxMTA1MTM3WqARGA8yMDE0MDkyMzEwNTEzN1owDQYJKoZIhvcNAQEFBQAD
ggEBAG8rfkFmq6ADMnx8CcS2MpTEfniSpOfzqlx3ToGU7kyV44CDyI19f8pE4UbQ
O3yLQMp2AcDYWjjnKNCYHdubs42hTumSKr0k45W11S8PoTujBveCaddShmGH0zgQ
1EHaBtYSKL5uDX3jUBg2ZhJcMzjUccuwpBPUk9mtDFdbDCLy7eY0NnOOY3IFprg8
eivUQd7v0scBbvFt4G6pN/1Ti/c1ZoZilIsyozuVnTiISZH6TYC5LDEn585Mna9U
Jt3hLrE6jD6O2P7Zsx+/+i9p7vMJUmrJBt7xwnffCKF2eENkp9Voeh4TjuE6Eoh5
v4HYBiwrFVVxa68hyLhiTivflZqgggQhMIIEHTCCBBkwggMBoAMCAQICAxJ4ZTAN
BgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t
IEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25p
bmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlh
dGUgU2VydmVyIENBMB4XDTE0MDgyMjE4MzQ0OVoXDTE0MTAwMjA1NTIyOVowbjEL
MAkGA1UEBhMCSUwxMTAvBgNVBAoTKFN0YXJ0Q29tIEx0ZC4gKFN0YXJ0IENvbW1l
cmNpYWwgTGltaXRlZCkxLDAqBgNVBAMTI1N0YXJ0Q29tIENsYXNzIDEgU2VydmVy
IE9DU1AgU2lnbmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuVYb
TEUxhxcXgITpbheN8iVeGO2Njsx8K3tRpsHC5r8Ko2AwZvEy/hCul7UOmfokuD/F
PdJ3dJY4fRThw6m2pJM+KsEkE9CFVwqVuBR0FKC8AHx7zyIkRu9/GhVtfqHFd/xf
D6zf1C6w9ZdJkMsvXO/rzu9NG9x65cEHXFqZqTFx8rCEW0/whk6XP8/jL511Ef+H
o+lDQQyQpEk6MGtpRDWTQKnKlvArZs5n8CjfKYCmqu6NXV1FK4sOuT+SPMHiP8zL
2+f/yxFNCPp6ajxAT4JdGg5xWTXPYjqMe1lnABTtBiL2CJqUR6ehkBD3/lj4QSmi
dl6jZ4JNHDuy/aMIUwIDAQABo4GgMIGdMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOo
MB4GA1UdJQQXMBUGCCsGAQUFBwMJBgkrBgEFBQcwAQUwHQYDVR0OBBYEFEXgo2aV
QUxd1Em8AOM83NvSND4XMB8GA1UdIwQYMBaAFOtCNNCYsKuf9BtrCPfMZC7vDixF
MCMGA1UdEgQcMBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzANBgkqhkiG9w0B
AQUFAAOCAQEAbx4xpqbIknCQQA0iZeci2Fepr3rpVRtiBCA9dHm4LjOPuATgYsZS
/B8W5BOkcOUCiTPCaJ1QHjf7rMhe1s1JMEWa17nPGFGTyzZL6mh5nPRn6vvSqWn3
syZmT5dZSLKqdLL04Is72CAq6m3p2g1o81IylcOGE8cXOjZNADv2t5PUPn/4F4WF
zKYh9eSiwKmBR/WVJPlEsUA//u/2lV5vpHM6sQ5OsyP0vJDBvte8vp8fbvShVRAl
WU9eSCZuRb6PHEgP7/avmUifPRwD/xW8lsJYJ9D/15i7bu+v3A5hpBafgC1c9K+7
G0HkC6PkMAJMy34Te5BcGTJDnnkT0qr5Mw==
-----END OCSP RESPONSE-----
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
Assignee | |
Comment 6•11 years ago
|
||
We were aware of this issue for some time and tried to reduce it as much as possible beginning this year, factual there should be much less such duplicates since then.
It's a hard and software related capacity issue of the queue managing the certificates and the real solution will be only available after a hardware upgrade we are planning for Nov-Dec this year.
Since the number of certificates affected has been reduced a lot, we prefer not to revoke them since it affects obviously both certificates at the same time. Chances that they'll conflict in reality is probably slim and we have never received a compliant about a duplicate serial error from any user so far (which Firefox would produce in such a case).
|
|
||
Comment 7•8 years ago
|
||
Resolving; if StartCom becomes trusted again, they are unlikely to have the same issues.
Gerv
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
|
||
Updated•8 years ago
|
Product: mozilla.org → NSS
|
||
Updated•3 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•