Closed Bug 1336651 Opened 8 years ago Closed 2 years ago

Old entries in OneCRL to be removed

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1774065

People

(Reporter: kathleen.a.wilson, Assigned: bwilson)

References

Details

(Whiteboard: [ca-onecrl])

Rob added columns to https://crt.sh/mozilla-onecrl for "Subject Name" and "Not After". It shows that there are the following old entries in OneCRL that I think we should remove… 12624869 2015-05-08 Intermediate CA's under Staat der Nederlanden Root CA 1155114 01314476 C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Overheid CA C=NL, O=DigiNotar B.V., CN=DigiNotar PKIoverheid CA Overheid 2010-06-23 12715971 2016-01-18 GlobalSign certs 1155145 04000000000103f037e445 CN=GlobalSign RootSign Partners CA, OU=RootSign Partners CA, O=GlobalSign nv-sa, C=BE O=Dell Inc., CN=Dell Inc. Enterprise Issuing CA2 2012-05-18 1190740 2016-01-18 GlobalSign certs 1155145 040000000001047628205b CN=GlobalSign RootSign Partners CA, OU=RootSign Partners CA, O=GlobalSign nv-sa, C=BE emailAddress=pki-security-ext@nestle.com, C=CH, ST=Vaud, L=Vevey, O=Nestle, OU=IS/IT, CN=Nestle External CA 2012-06-13 1451227 2016-01-18 GlobalSign certs 1155145 0400000000011e1c35bf07 C=BE, O=GlobalSign nv-sa, OU=Partners CA, CN=GlobalSign Partners CA C=PL, O=E-Telbank Sp. z o.o., OU=PolCert, CN=PolCert SLP CA 2012-11-01 998801 2016-01-18 GlobalSign certs 1155145 040000000001094550f4da CN=GlobalSign RootSign Partners CA, OU=RootSign Partners CA, O=GlobalSign nv-sa, C=BE C=DE, O=T-Systems Enterprise Services GmbH, OU=Trust Center Deutsche Telekom, CN=Deutsche Telekom CA 5 2013-02-07 872503 2016-01-18 GlobalSign certs 1155145 040000000000f97fc62329 CN=GlobalSign RootSign Partners CA, OU=RootSign Partners CA, O=GlobalSign nv-sa, C=BE C=US, ST=Texas, L=San Antonio, OU=GS CA, O=XRamp Security Services Inc, CN=XRamp Security Services GS CA 2013-12-16 12625538 2016-01-18 GlobalSign certs 1155145 04000000000100fa6e561d CN=GlobalSign RootSign Partners CA, OU=RootSign Partners CA, O=GlobalSign nv-sa, C=BE DC=net, DC=bgc, CN=BGC-OffSubCA 2013-12-04 12624729 2016-01-18 GlobalSign certs 1155145 0400000000011764dbf017 C=BE, O=GlobalSign nv-sa, OU=Partners CA, CN=GlobalSign Partners CA C=MK, O=KIBS AD Skopje, OU=Verba CA, CN=KIBS Verba Root CA 2014-01-26 1247486 2016-01-18 GlobalSign certs 1155145 040000000001085884a7db C=BE, O=GlobalSign nv-sa, OU=Partners CA, CN=GlobalSign Partners CA C=IS, O=Audkenni hf., OU=SLP CA, CN=Audkenni SLP CA 2014-01-27 9314698 2015-09-21 Misused certificate 1205651 0ab4c73c413a01949f2378f2b229f66c C=US, O="thawte, Inc.", CN=thawte EV SSL CA - G3 jurisdictionC=US, jurisdictionST=Delaware, O=Symantec Corp, businessCategory=Private Organization, serialNumber=2158113, C=US, ST=California, L=Mountain view, CN=www.google.com 2015-09-15 1294541 2015-05-08 Intermediate CA's under Staat der Nederlanden Root CA 1155114 013169b0 C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Overheid CA C=NL, O=DigiNotar B.V., CN=DigiNotar PKIoverheid CA Overheid en Bedrijven 2015-07-27 6920161 2015-03-31 MCSHOLDING intermediate certificate 1149603 4933008e C=CN, O=CNNIC, CN=CNNIC ROOT C=EG, O=MCSHOLDING, CN=MCSHOLDING TEST 2015-04-03 24922012 2015-03-31 live.fi certificate 1145157 0fd525b433e5e1755f492a903af762c1 C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA OU=Domain Control Validated, OU=Free SSL, CN=www.live.fi 2015-04-26 9324337 2016-04-28 Symantec test certificates 1267648 3a1aed9e0170a2d2dc9b88becf4d128c C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 ECC 256 bit EV CA - G2 jurisdictionC=US, jurisdictionST=Delaware, businessCategory=Private Organization, serialNumber=2158113, C=US, ST=California, L=Mountain View, O=Symantec Corp, OU=Engineering, CN=123Symantec.com 2016-09-14 5981473 2016-04-28 Symantec test certificates 1267648 69c2350852209b0485068539f9a84382 C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 EV SSL CA - G3 jurisdictionC=IE, businessCategory=Private Organization, serialNumber=Private Org, C=IE, ST=Co Dublin, L=Dublin 15, O=Symantec Corporation, CN=evgabrieltest.bbtest.com 2016-12-09 5844696 2016-04-28 Symantec test certificates 1267648 69c2350852209b0485068539f9a84382 C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 EV SSL CA - G3 jurisdictionC=IE, businessCategory=Private Organization, serialNumber=Private Org, C=IE, ST=Co Dublin, L=Dublin 15, O=Symantec Corporation, CN=evgabrieltest.bbtest.com 2016-12-09 13308760 2016-03-01 exceptional SHA-1 Certificates 1252142 54e708b8d6d3aa4a4e314c88d74f053a C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3 C=US, ST=Georgia, L=Atlanta, O="WorldPay US, Inc.", OU=Transaction Processing, CN=qac.tf.rbslynk.com 2016-05-25 13308760 2016-03-01 exceptional SHA-1 Certificates 1252142 54e708b8d6d3aa4a4e314c88d74f053a C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3 C=US, ST=Georgia, L=Atlanta, O="WorldPay US, Inc.", OU=Transaction Processing, CN=qac.tf.rbslynk.com 2016-05-25 13308756 2016-03-01 exceptional SHA-1 Certificates 1252142 08ec280c5bf3ec60fc4762bb2e8d2b61 C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3 C=US, ST=Georgia, L=Atlanta, O="WorldPay US, Inc.", OU=Transaction Processing, CN=tf.lynk-systems.com 2016-05-25 13308752 2016-03-01 exceptional SHA-1 Certificates 1252142 255fcb57348a23fc2c0e083752e64794 C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3 C=US, ST=Georgia, L=Atlanta, O="WorldPay US, Inc.", OU=Transaction Processing, CN=tframe1.rbslynk.com 2016-05-25 13308744 2016-03-01 exceptional SHA-1 Certificates 1252142 34ca4c7049dec77797c78a2193d82571 C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3 C=US, ST=Georgia, L=Atlanta, O="WorldPay US, Inc.", OU=Transaction Processing, CN=tframe2.rbslynk.com 2016-05-25 13308741 2016-03-01 exceptional SHA-1 Certificates 1252142 2dd6e709bb00f6c3a02389a45295973f C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3 C=US, ST=Georgia, L=Atlanta, O="WorldPay US, Inc.", OU=Transaction Processing, CN=tpdev.lynksystems.com 2016-05-25 13308739 2016-03-01 exceptional SHA-1 Certificates 1252142 19dfe93eefaa2e75d476f3fdb16ef709 C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3 C=US, ST=Georgia, L=Atlanta, O="WorldPay US, Inc.", OU=Transaction Processing, CN=tptrans-l.lynksystems.com 2016-05-25 13308724 2016-03-01 exceptional SHA-1 Certificates 1252142 072edf053adea2e4705ffaaba60494b2 C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3 C=US, ST=Georgia, L=Atlanta, O="WorldPay US, Inc.", OU=Transaction Processing, CN=tptrans.lynksystems.com 2016-05-25 24921956 2015-04-07 XS4ALL certificate 1150585 5284469dbf7a0940d3c48a95af2e8b06 C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA OU=Domain Control Validated, OU=PositiveSSL, CN=xs4all.nl 2016-03-19 ~~
Assignee: kwilson → mgoodwin
Some of us have been discussing whether or not it is a good idea to remove entries from OneCRL for expired intermediate certificates. When the intermediate cert is listed in OneCRL as revoked, the end-user gets a hard fail. When the intermediate cert fails because it has expired, the end-user gets an over-rideable error. Or, worse, if they've set their computer clocks back for some reason, the expired cert chain could validate. So, our recommendation is that if an intermediate cert was revoked and added to OneCRL as a result of a security incident, then it's entry should *not* be removed from OneCRL until the complete hierarchy is gone from recent/current Mozilla releases. In other words, if an entry for an intermediate cert was added to OneCRL for security reasons, then it should *not* be removed from OneCRL until there is no valid (but expired) path to validate that chain.
(In reply to Kathleen Wilson from comment #1) To be conservative, the only entries in the above list that I think we should remove from OneCRL at this time are as follows: 12715971 2016-01-18 GlobalSign certs 1155145 04000000000103f037e445 CN=GlobalSign RootSign Partners CA, OU=RootSign Partners CA, O=GlobalSign nv-sa, C=BE O=Dell Inc., CN=Dell Inc. Enterprise Issuing CA2 2012-05-18 1190740 2016-01-18 GlobalSign certs 1155145 040000000001047628205b CN=GlobalSign RootSign Partners CA, OU=RootSign Partners CA, O=GlobalSign nv-sa, C=BE emailAddress=pki-security-ext@nestle.com, C=CH, ST=Vaud, L=Vevey, O=Nestle, OU=IS/IT, CN=Nestle External CA 2012-06-13 1451227 2016-01-18 GlobalSign certs 1155145 0400000000011e1c35bf07 C=BE, O=GlobalSign nv-sa, OU=Partners CA, CN=GlobalSign Partners CA C=PL, O=E-Telbank Sp. z o.o., OU=PolCert, CN=PolCert SLP CA 2012-11-01 998801 2016-01-18 GlobalSign certs 1155145 040000000001094550f4da CN=GlobalSign RootSign Partners CA, OU=RootSign Partners CA, O=GlobalSign nv-sa, C=BE C=DE, O=T-Systems Enterprise Services GmbH, OU=Trust Center Deutsche Telekom, CN=Deutsche Telekom CA 5 2013-02-07 872503 2016-01-18 GlobalSign certs 1155145 040000000000f97fc62329 CN=GlobalSign RootSign Partners CA, OU=RootSign Partners CA, O=GlobalSign nv-sa, C=BE C=US, ST=Texas, L=San Antonio, OU=GS CA, O=XRamp Security Services Inc, CN=XRamp Security Services GS CA 2013-12-16 12625538 2016-01-18 GlobalSign certs 1155145 04000000000100fa6e561d CN=GlobalSign RootSign Partners CA, OU=RootSign Partners CA, O=GlobalSign nv-sa, C=BE DC=net, DC=bgc, CN=BGC-OffSubCA 2013-12-04 12624729 2016-01-18 GlobalSign certs 1155145 0400000000011764dbf017 C=BE, O=GlobalSign nv-sa, OU=Partners CA, CN=GlobalSign Partners CA C=MK, O=KIBS AD Skopje, OU=Verba CA, CN=KIBS Verba Root CA 2014-01-26 1247486 2016-01-18 GlobalSign certs 1155145 040000000001085884a7db C=BE, O=GlobalSign nv-sa, OU=Partners CA, CN=GlobalSign Partners CA C=IS, O=Audkenni hf., OU=SLP CA, CN=Audkenni SLP CA 2014-01-27 ~~ The Symantec test certs listed above are covered in Bug #1337228, so no need to duplicate here.
Whiteboard: [ca-onecrl]
Product: mozilla.org → NSS
Blocks: onecrl-meta

The bug assignee is inactive on Bugzilla, so the assignee is being reset.

Assignee: bugs → bwilson
Status: NEW → RESOLVED
Closed: 2 years ago
QA Contact: kwilson
Resolution: --- → DUPLICATE
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.