1432467 - CCADB entries generated 2018-01-23T13:41:18Z

Status: RESOLVED FIXED

(Core :: Security Block-lists, Allow-lists, and other State, enhancement)

Comment 1

[omphalos]

Attachment: Intermediates to be revoked

Revocations data for new records

Comment 2

[omphalos]

Attachment: existing and new revocations in the form of a revocations.txt file

Revocations data for new and existing records

Comment 3

[Mark Goodwin [:mgoodwin]]

Please note, this set of additions includes the entry from bug 1427034

Comment 4

[Wayne Thayer]

Comment on attachment 8944710 [details]
Intermediates to be revoked

Confirmed that the correct certificate is being referenced.

Comment 5

[J.C. Jones [:jcj] (he/him)]

Downloading intermediates to be revoked from bug # 1432467

Results:
Pending Kinto Dataset (Found): 617
Added Entries (Expected): 4
[GOOD] Expected But Not Pending (Not Found): 0
Deleted: 0
[GOOD] Entries In Production But Lost Without Being Deleted (Missing): 0

[GOOD] The Expected file matches the change between the staged Kinto and production.
[GOOD] The Kinto dataset found at production equals the union of the expected file and the live list.
Nothing not found.
Nothing deleted.

Comment 6

[Kathleen Wilson]

Comment on attachment 8944710 [details]
Intermediates to be revoked

I confirm that these are the correct entries to add to OneCRL.
One entry is regarding Bug #1427034.
The other three entries have OneCRL Status of "Ready To Add" in the CCADB, because I have verified their revocations via their corresponding CRLs.

Comment 7

[Matt Wobensmith [:mwobensmith][:matt:]]

TLS Canary found one site that is affected by this change:

https://surveys.intesasanpaolo.com/

It ranks at #910376 in the top one million site list. 

If this is expected and/or otherwise acceptable, I can r+ the revocations file.

Comment 8

[J.C. Jones [:jcj] (he/him)]

It's expected since we're distrusting its root. I'll leave it to Kathleen to confirm that the root distrust is correct.

(TLS Observatory scan: https://observatory.mozilla.org/analyze.html?host=surveys.intesasanpaolo.com#tls )

Comment 9

[Kathleen Wilson]

(In reply to Matt Wobensmith [:mwobensmith][:matt:] from comment #7)
> TLS Canary found one site that is affected by this change:
> 
> https://surveys.intesasanpaolo.com/
> 
> It ranks at #910376 in the top one million site list. 
> 
> If this is expected and/or otherwise acceptable, I can r+ the revocations
> file.


Ben, Please confirm that DigiCert's customer is aware that their website https://surveys.intesasanpaolo.com/ needs to be updated to not use the revoked cert https://crt.sh/?id=6158202.

Comment 10

[Ben Wilson]

Today I reached out to IntesaSanpaolo just to make sure that they were aware of this website, https://surveys.intesasanpaolo.com.

Comment 11

[Kathleen Wilson]

JC, please proceed with the rest of the process to add these to OneCRL. Thanks!

Comment 12

[J.C. Jones [:jcj] (he/him)]

Signed, pushed to OneCRL.

Comment 13

[Kathleen Wilson]

I confirm that these entries have been added to OneCRL. Thanks!

Comment 14

[BMO Automation]

Moving bug to Core::Security Block-lists, Allow-lists, and other State.