Closed
Bug 1034949
Opened 10 years ago
Closed 9 years ago
Swisscom: valid 512 bit certificate
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: kurt, Assigned: patrick.graber)
References
Details
(Whiteboard: BR Compliance - 512 bit cert)
Hi, I found a certificate that is using an RSA key with 512 bit that is still valid and not revoked. It's been issued by: C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Rubin CA 1
Reporter | ||
Updated•10 years ago
|
Blocks: BR-Compliance
Comment 1•10 years ago
|
||
Swisscom Rubin CA 1? Do you mean Swisscom Root CA 1? I cannot find a root named Swisscom Rubin CA 1 in my database.
Reporter | ||
Comment 2•10 years ago
|
||
That's the name of an intermediate CA. The root CA is "Swisscom Root CA 1"
In the CT-dawn era, is there any reason to treat the certificate like a big secret? -----BEGIN CERTIFICATE----- MIIEsTCCA5mgAwIBAgIQBGfdiMVddmRAgTIJ8k5IpzANBgkqhkiG9w0BAQUFADBl MQswCQYDVQQGEwJjaDERMA8GA1UEChMIU3dpc3Njb20xJTAjBgNVBAsTHERpZ2l0 YWwgQ2VydGlmaWNhdGUgU2VydmljZXMxHDAaBgNVBAMTE1N3aXNzY29tIFJ1Ymlu IENBIDEwHhcNMTIwNTI1MTAxMDI3WhcNMTUwNTI1MTAxMDI3WjCBhDELMAkGA1UE BhMCQ0gxDTALBgNVBAgTBEJlcm4xDTALBgNVBAcTBEJlcm4xFDASBgNVBAoTC1NC Qi9DRkYvRkZTMQswCQYDVQQLEwJJVDEUMBIGA1UEAxMLYXZpcy5zYmIuY2gxHjAc BgkqhkiG9w0BCQEWD3NzbGFkbWluQHNiYi5jaDBcMA0GCSqGSIb3DQEBAQUAA0sA MEgCQQDhcUq+5xy4fJaYxdpliglPCU6HsgOYVlzfB0Xkw2bcZ+RckatB/GKebhoC 6UAFCXUSx0tnym7kq1Rfn/VyScgjAgMBAAGjggIDMIIB/zAfBgNVHSMEGDAWgBQt wqejYz4/g0erSDM2gYX31OmswDB2BggrBgEFBQcBAQRqMGgwLgYIKwYBBQUHMAGG Imh0dHA6Ly9vY3NwLnN3aXNzZGlnaWNlcnQuY2gvcnViaW4wNgYIKwYBBQUHMAKG Kmh0dHA6Ly9haWEuc3dpc3NkaWdpY2VydC5jaC9zZGNzLXJ1YmluLmNydDBIBgNV HSAEQTA/MD0GBmCFdAFTBDAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3LnN3aXNz ZGlnaWNlcnQuY2gvZG9jdW1lbnRzMIG5BgNVHR8EgbEwga4wMKAuoCyGKmh0dHA6 Ly9jcmwuc3dpc3NkaWdpY2VydC5jaC9zZGNzLXJ1YmluLmNybDB6oHigdoZ0bGRh cDovL2xkYXAuc3dpc3NkaWdpY2VydC5jaC9DTj1Td2lzc2NvbSUyMFJ1YmluJTIw Q0ElMjAxLGRjPXJ1YmluLGRjPXN3aXNzZGlnaWNlcnQsZGM9Y2g/Y2VydGlmaWNh dGVSZXZvY2F0aW9uTGlzdD8wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsG AQUFBwMBMBoGA1UdEQQTMBGBD3NzbGFkbWluQHNiYi5jaDAdBgNVHQ4EFgQU8cjw QuX/vXPjTiu1dtRw4jTCZ/UwDQYJKoZIhvcNAQEFBQADggEBAA9tZq23y5Ws7bMA Zy5zNgCpwXEi+kIal+tJvTxW1upoSGz21EHKhMiCuU+ukpBy5QbV2r4fMj8NyRqt IdRA+G6EbDns1PAj1FHbfjvjP6tf6N451QZhcr0auJgitLjjPLDghutWsjuQPV2k 2M6yRVXzi99Pf7kwI99UTI0qVzQ1Zo59V59Pw1p9nLiDK04apem6TQZ/kzeYKoUI K2Bvg2UHkkBAwhbJRKVYZd0ewKvbwCoKgw32vvEZr4/40GfOkOXOg2xu+/+4laYl OG93BHRrnW5Q6iAqXJHFQ3rWfHMO5OafxabJxZsOWlMvW3/woV2EoJ04HVOkeawq WqBh/vA= -----END CERTIFICATE----- And here's today's OCSP response for it: -----BEGIN OCSP RESPONSE----- MIIHdwoBAKCCB3AwggdsBgkrBgEFBQcwAQEEggddMIIHWTCB+6FzMHExCzAJBgNV BAYTAkNIMREwDwYDVQQKEwhTd2lzc2NvbTElMCMGA1UECxMcRGlnaXRhbCBDZXJ0 aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfT0NTUCBTaWduZXIgU3dpc3Njb20g UnViaW4gQ0EgMxgPMjAxNDA3MTMwODQ0MTRaMHMwcTBJMAkGBSsOAwIaBQAEFAXk Y55bSrWT8mkN03H5/ZGq2122BBQtwqejYz4/g0erSDM2gYX31OmswAIQBGfdiMVd dmRAgTIJ8k5Ip4AAGA8yMDE0MDcxMzA4MTIzNFqgERgPMjAxNDA3MjAxMDEyMzha MA0GCSqGSIb3DQEBBQUAA4IBAQBM8QV/dfr5nHtfePqEcEKfHh3Ay42uZ+yuWz8l atdHoWK1uyog1DXrr4Nd40cBa3eAymXwdriG9J9eCpKDZtd3hDTbORQTubj/OLEH TQ1lixZoZGewDvNr7PelWAglvXw9stZQ2pfOITkWiJ23MWWyeUGoPMv9uKVLhImH iJlobdmOsuQqBiLJEEkWsqWgdFGXGzJGIFxGhAn0XR5kYazvJeDIWkVUV4JK7jA/ Nbh/XqvEwpEr2k68yOVWRcGXByeV/yB9xVC1/oyjspZ39LykOy8ZZGnFAljDqjds FeTLQrp6kKv2XHH0F4oZ1oxGIVWJCbx4S1RGBWDRdykIQ0gloIIFQzCCBT8wggU7 MIIEI6ADAgECAhB2itUB3yeBmECWmTqL0K/TMA0GCSqGSIb3DQEBBQUAMGUxCzAJ BgNVBAYTAmNoMREwDwYDVQQKEwhTd2lzc2NvbTElMCMGA1UECxMcRGlnaXRhbCBD ZXJ0aWZpY2F0ZSBTZXJ2aWNlczEcMBoGA1UEAxMTU3dpc3Njb20gUnViaW4gQ0Eg MTAeFw0xMzA0MTUwOTA2NDFaFw0xNjA0MTUwOTA2NDFaMHExCzAJBgNVBAYTAkNI MREwDwYDVQQKEwhTd2lzc2NvbTElMCMGA1UECxMcRGlnaXRhbCBDZXJ0aWZpY2F0 ZSBTZXJ2aWNlczEoMCYGA1UEAxMfT0NTUCBTaWduZXIgU3dpc3Njb20gUnViaW4g Q0EgMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK7Y9UwPHfGXmEU3 hPc2WBq1p+GknCNRenGLZc2jPowAKu15z4bi4f/rZa39jvKM5DsoSs5HaZ8/BhuU ryHBLyjRiiw4/yxtrI0/+nsAoaEHTdZnB6I/1mZohygwRZf5JRWls+9vYB8ChTnM 3ZkNhTAvbT/Fd8Lai4rHXaTo/tlAVWawoTy6Vx+DpoEMjWXmgSI+IxIu4kc97+wt gYn4y+LgX+ksSXs/uPfPngDotihuxh+UBqdRZUSi1D97EhByVSW+XfsenvZpMYI+ rZqAkPcmDZNakkLtAgj3YCFS56IZVuzxT50PzvwMjvbOG7SXD5FWQvXvfS3EjM4A fiqr1qsCAwEAAaOCAdkwggHVMEYGCCsGAQUFBwEBBDowODA2BggrBgEFBQcwAoYq aHR0cDovL2FpYS5zd2lzc2RpZ2ljZXJ0LmNoL3NkY3MtcnViaW4uY3J0MB8GA1Ud IwQYMBaAFC3Cp6NjPj+DR6tIMzaBhffU6azAMAwGA1UdEwEB/wQCMAAwSAYDVR0g BEEwPzA9BgZghXQBUwQwMzAxBggrBgEFBQcCARYlaHR0cDovL3d3dy5zd2lzc2Rp Z2ljZXJ0LmNoL2RvY3VtZW50czCBuQYDVR0fBIGxMIGuMDCgLqAshipodHRwOi8v Y3JsLnN3aXNzZGlnaWNlcnQuY2gvc2Rjcy1ydWJpbi5jcmwweqB4oHaGdGxkYXA6 Ly9sZGFwLnN3aXNzZGlnaWNlcnQuY2gvQ049U3dpc3Njb20lMjBSdWJpbiUyMENB JTIwMSxkYz1ydWJpbixkYz1zd2lzc2RpZ2ljZXJ0LGRjPWNoP2NlcnRpZmljYXRl UmV2b2NhdGlvbkxpc3Q/MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMJMA4GA1UdDwEB /wQEAwIBQjAPBgkrBgEFBQcwAQUEAgUAMB0GA1UdDgQWBBSG21oMtRnGIWv+ex4L HgYeCBGuXzANBgkqhkiG9w0BAQUFAAOCAQEAhEXRyh3YVr1bk3CcFTo7HAorUt/F nHACrxcjZ2kv6NOfmsJQSnJeGzgEBZ4k9w+8JkKb3T/os+fA6a5XtnUbmbLeMEc6 3mcUHl0OLOqk2lY8SIRqOKYmp2Z1q295eO2P/jrLbiVKWvS0fB1S9x0TQe9z+FsF +GLqtlXjjMsyCpuSlW5XDhJtGX+Lq4XOKXI9jWRMNBYoPF7TWwYEBPo96th6ivam 0LoAiHqIBPd34gjw67/hfYein36LteK3XdDnJIkAy8kkpAiR1WvDm34QXfWDelAj 9/HFqnA81lGuaRSM33ERhermt6qr2iG4Prbripz0/f39k1a+JuLUVxJZdA== -----BEGIN OCSP RESPONSE----- Or, in more human friendly form: OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = CH, O = Swisscom, OU = Digital Certificate Services, CN = OCSP Signer Swisscom Rubin CA 3 Produced At: Jul 13 08:44:14 2014 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 05E4639E5B4AB593F2690DD371F9FD91AADB5DB6 Issuer Key Hash: 2DC2A7A3633E3F8347AB4833368185F7D4E9ACC0 Serial Number: 0467DD88C55D766440813209F24E48A7 Cert Status: good This Update: Jul 13 08:12:34 2014 GMT Next Update: Jul 20 10:12:38 2014 GMT (The CRL is at http://crl.swissdigicert.ch/sdcs-rubin.crl, and doesn't list 0467DD88C55D766440813209F24E48A7 either, of course.)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Reporter | ||
Comment 4•10 years ago
|
||
(In reply to Kaspar Brand from comment #3) > In the CT-dawn era, is there any reason to treat the certificate like a big > secret? It's not a secret since we can obviously both find it. But there is also no reason to make it more public then needed to get the problem solved. Also, they didn't opt in on CT.
Updated•10 years ago
|
Assignee: kwilson → patrick.graber
Whiteboard: BR Compliance - 512 bit cert
Comment 5•10 years ago
|
||
The domain name of the Subject doesn't exist (anmyore), so shouldn't the CA be obligated to revoke this cert on demand within 24 hrs?
Reporter | ||
Comment 6•10 years ago
|
||
(In reply to M.Hunstock from comment #5) > The domain name of the Subject doesn't exist (anmyore), so shouldn't the CA > be obligated to revoke this cert on demand within 24 hrs? So to quote baseline requirements: 13.1.5 Reasons for Revoking a Subscriber Certificate The CA SHALL revoke a Certificate within 24 hours if one or more of the following occurs: [...] 3. The CA obtains evidence that the Subscriber’s Private Key corresponding to the Public Key in the Certificate suffered a Key Compromise (also see Section 10.2.4) or no longer complies with the requirements of Appendix A; [...] 6. The CA is made aware of any circumstance indicating that use of a Fully-Qualified Domain Name or IP address in the Certificate is no longer legally permitted (e.g. a court or arbitrator has revoked a Domain Name Registrant’s right to use the Domain Name, a relevant licensing or services agreement between the Domain Name Registrant and the Applicant has terminated, or the Domain Name Registrant has failed to renew the Domain Name); [...] 9. The CA is made aware that the Certificate was not issued in accordance with these Requirements or the CA’s Certificate Policy or Certification Practice Statement; And Appendinx A.3 has 2048 bit as minimum size for RSA. There also seem to be various other things wrong with the certificate. So yes, this should have been revoked almost 2 months ago. Kurt
Comment 7•10 years ago
|
||
Patrick: this is a fairly serious issue. Are you able to give a response from Swisscom? Gerv
Assignee | ||
Comment 8•10 years ago
|
||
This certificate is used for internal test use only. It will be revoked today.
Assignee | ||
Comment 10•9 years ago
|
||
The certificate was revoked on Sep 10 09:49:12 2014 GMT Serial Number: 0467DD88C55D766440813209F24E48A7 Revocation Date: Sep 10 09:49:12 2014 GMT This bug can be closed. http://crl.swissdigicert.ch/sdcs-rubin.crl
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Updated•7 years ago
|
Product: mozilla.org → NSS
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•