Closed
Bug 1432608
Opened 7 years ago
Closed 7 years ago
Add EC Raiz Estado Cross Certificates to OneCRL
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: benwilsonusa, Assigned: wthayer)
Details
(Whiteboard: [ca-onecrl])
The following four (4) cross certificates issued by the Baltimore Cybertrust Root to the EC Raiz Estado Root CA should be added to OneCRL to prevent them from being trusted for issuing certificates for SSL/TLS Server Authentication. -----BEGIN CERTIFICATE----- MIIFhTCCBG2gAwIBAgIEByfTSjANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE1MDkwOTE3MzQyMloX DTIyMDkzMDE3MzIyM1owMzELMAkGA1UEBhMCUFQxDTALBgNVBAoMBFNDRUUxFTAT BgNVBAMMDEVDUmFpekVzdGFkbzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC ggIBANvvokNuyKn9btffrKKShKHIWaAMmlP+767MGQ1yiqTCMyPv5wZy6m1LOkFS D8lIDi3numTuojpMY1xmKYvfqYjFvejx945L/AE8RBI5KnCiwNvFot9fx0vGqNw9 YXxKWMFEMpPecJmhIyZWP6Ph6l8wRth49TCjlgmJsD3xhpMFthJqGI3wpWQ7K4dk Xj0Xjgtu5pjMlzg4IIxwWmkrvWWNzTdZXGzRcnRZBk7ItwHXd7/wSIaosxpdQdQ3 FxEQX0pujXXFA0B9Ia4A8Nv8n2w6ZqTf98rfgGZa2dh/FKImGfSuCyHgyj4F3RbY flnaobBpw500E/plSTmH7nYvjb08JxkDTq0OCyssxi5xEzUpV+lw3BtR6s2X8ZWN sob6JgYvgBqV8Zg77vblhqXOGwHl9Okzyg9VRF9oiizHW2Yo3ZZLg51eHX4Y1f6y YPuaUWjDlowfaEtQUgs25jEn5NcpDBvaGy/hBFO41HlJsDuBXgiIInfiKcCucqqr tHJSvWy79bp42Zy4IG8wjUqdMvn0AeZieZhCQAV6bxwqP7X7380YQI7lEMQ5W1bx PFcFq9I5TT/4iyPHa7lAseL+/7McCmkfm4wPtB/gCt5I/Y1fj5n1AXYFNl2O3DOO UW4R4kH9zLeNKl8+kuXyseCkI+Kit8aNGJspStFGf/RkIBjdAgMBAAGjggF4MIIB dDASBgNVHRMBAf8ECDAGAQH/AgECMIGFBgNVHSAEfjB8MEgGCSsGAQQBsT4BADA7 MDkGCCsGAQUFBwIBFi1odHRwOi8vY3liZXJ0cnVzdC5vbW5pcm9vdC5jb20vcmVw b3NpdG9yeS5jZm0wMAYEVR0gADAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVj ZWUuZ292LnB0L2RwYzBCBggrBgEFBQcBAQQ2MDQwMgYIKwYBBQUHMAGGJmh0dHA6 Ly9vY3NwLm9tbmlyb290LmNvbS9iYWx0aW1vcmVyb290MA4GA1UdDwEB/wQEAwIB BjAfBgNVHSMEGDAWgBTlnVkwgkdYzKz6CFQ2hns6tQRN8DBCBgNVHR8EOzA5MDeg NaAzhjFodHRwOi8vY2RwMS5wdWJsaWMtdHJ1c3QuY29tL0NSTC9PbW5pcm9vdDIw MjUuY3JsMB0GA1UdDgQWBBRxfzXe9XdxbR0SnOGQpLrwqYOPgDANBgkqhkiG9w0B AQUFAAOCAQEABAMyjt7/FHhdDg+x4Ma6dy2W/m+V0k0XrVC0TQJZfkGi3xSWwgwy t/1P9LIbd+5ZxbvVTndWIUj8E2QzHdzIMLlBNrMCpK9/yS6JvLad+aYry68dobkC Nd2bj5xFBg8ZfNSturqx+HCZggj4C3YK5ib40XvQ+spe/9QeelT0ipPsW2qt9E0S WcSJyBEZ0xjGO3gFo9h3CmSfsOPR12+7uPiHxeW+IttL/y57/Cc/d6UefPbuXR6O lZxdi7yNJUMgYuLXAImg0uPGa5Ch1W7IRhsQAfaYzk1aeDcYowfaX+n5yNsJcf/X t0BOcY2aVluEM8+p5F3HQYMNWytpRzTA5g== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFQTCCBCmgAwIBAgIEByeO7jANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTEzMDczMTE5MDQxNloX DTIzMDczMTE5MDMyMVowMzELMAkGA1UEBhMCUFQxDTALBgNVBAoMBFNDRUUxFTAT BgNVBAMMDEVDUmFpekVzdGFkbzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC ggIBANvvokNuyKn9btffrKKShKHIWaAMmlP+767MGQ1yiqTCMyPv5wZy6m1LOkFS D8lIDi3numTuojpMY1xmKYvfqYjFvejx945L/AE8RBI5KnCiwNvFot9fx0vGqNw9 YXxKWMFEMpPecJmhIyZWP6Ph6l8wRth49TCjlgmJsD3xhpMFthJqGI3wpWQ7K4dk Xj0Xjgtu5pjMlzg4IIxwWmkrvWWNzTdZXGzRcnRZBk7ItwHXd7/wSIaosxpdQdQ3 FxEQX0pujXXFA0B9Ia4A8Nv8n2w6ZqTf98rfgGZa2dh/FKImGfSuCyHgyj4F3RbY flnaobBpw500E/plSTmH7nYvjb08JxkDTq0OCyssxi5xEzUpV+lw3BtR6s2X8ZWN sob6JgYvgBqV8Zg77vblhqXOGwHl9Okzyg9VRF9oiizHW2Yo3ZZLg51eHX4Y1f6y YPuaUWjDlowfaEtQUgs25jEn5NcpDBvaGy/hBFO41HlJsDuBXgiIInfiKcCucqqr tHJSvWy79bp42Zy4IG8wjUqdMvn0AeZieZhCQAV6bxwqP7X7380YQI7lEMQ5W1bx PFcFq9I5TT/4iyPHa7lAseL+/7McCmkfm4wPtB/gCt5I/Y1fj5n1AXYFNl2O3DOO UW4R4kH9zLeNKl8+kuXyseCkI+Kit8aNGJspStFGf/RkIBjdAgMBAAGjggE0MIIB MDASBgNVHRMBAf8ECDAGAQH/AgECMIGFBgNVHSAEfjB8MEgGCSsGAQQBsT4BADA7 MDkGCCsGAQUFBwIBFi1odHRwOi8vY3liZXJ0cnVzdC5vbW5pcm9vdC5jb20vcmVw b3NpdG9yeS5jZm0wMAYEVR0gADAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVj ZWUuZ292LnB0L2RwYzAOBgNVHQ8BAf8EBAMCAQYwHwYDVR0jBBgwFoAU5Z1ZMIJH WMys+ghUNoZ7OrUETfAwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NkcDEucHVi bGljLXRydXN0LmNvbS9DUkwvT21uaXJvb3QyMDI1LmNybDAdBgNVHQ4EFgQUcX81 3vV3cW0dEpzhkKS68KmDj4AwDQYJKoZIhvcNAQEFBQADggEBABw+auHdbbW8+mfF OLraR0l0B1RIa0j47lEEoetfllzcozUhUsR2X0vGZIEREYAsjZiGEIuAZb0sgvMO b4zPimr0clMjjuJDb33w715tIdL9ceuiTbHpMYalO/QS2092FSO08HKm2G4bMM38 8nufD8/ZlI7wNfY0yXv7WipSXwaFCa1m67i5fAcb9foIYpBjVOkJNXjsrIfzI5Td K8FvdrfNtqoUZoMATz4E/jHwVEwsVzhPeZxNCIFh3tSyDBKhrOxlAKfWhl7C9TsI sp0JPKMe5V5q4DeGwlu2Cvipi2KYDr+Xlx6QYdWUSfyOv4Eakhy/grMW6Iyjqu1L KYYgEWQ= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFhTCCBG2gAwIBAgIEByfTSzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJJ RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE1MDkwOTE3NDAxMloX DTIyMDkzMDE3MzkxMVowMzELMAkGA1UEBhMCUFQxDTALBgNVBAoMBFNDRUUxFTAT BgNVBAMMDEVDUmFpekVzdGFkbzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC ggIBANvvokNuyKn9btffrKKShKHIWaAMmlP+767MGQ1yiqTCMyPv5wZy6m1LOkFS D8lIDi3numTuojpMY1xmKYvfqYjFvejx945L/AE8RBI5KnCiwNvFot9fx0vGqNw9 YXxKWMFEMpPecJmhIyZWP6Ph6l8wRth49TCjlgmJsD3xhpMFthJqGI3wpWQ7K4dk Xj0Xjgtu5pjMlzg4IIxwWmkrvWWNzTdZXGzRcnRZBk7ItwHXd7/wSIaosxpdQdQ3 FxEQX0pujXXFA0B9Ia4A8Nv8n2w6ZqTf98rfgGZa2dh/FKImGfSuCyHgyj4F3RbY flnaobBpw500E/plSTmH7nYvjb08JxkDTq0OCyssxi5xEzUpV+lw3BtR6s2X8ZWN sob6JgYvgBqV8Zg77vblhqXOGwHl9Okzyg9VRF9oiizHW2Yo3ZZLg51eHX4Y1f6y YPuaUWjDlowfaEtQUgs25jEn5NcpDBvaGy/hBFO41HlJsDuBXgiIInfiKcCucqqr tHJSvWy79bp42Zy4IG8wjUqdMvn0AeZieZhCQAV6bxwqP7X7380YQI7lEMQ5W1bx PFcFq9I5TT/4iyPHa7lAseL+/7McCmkfm4wPtB/gCt5I/Y1fj5n1AXYFNl2O3DOO UW4R4kH9zLeNKl8+kuXyseCkI+Kit8aNGJspStFGf/RkIBjdAgMBAAGjggF4MIIB dDASBgNVHRMBAf8ECDAGAQH/AgECMIGFBgNVHSAEfjB8MEgGCSsGAQQBsT4BADA7 MDkGCCsGAQUFBwIBFi1odHRwOi8vY3liZXJ0cnVzdC5vbW5pcm9vdC5jb20vcmVw b3NpdG9yeS5jZm0wMAYEVR0gADAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVj ZWUuZ292LnB0L2RwYzBCBggrBgEFBQcBAQQ2MDQwMgYIKwYBBQUHMAGGJmh0dHA6 Ly9vY3NwLm9tbmlyb290LmNvbS9iYWx0aW1vcmVyb290MA4GA1UdDwEB/wQEAwIB BjAfBgNVHSMEGDAWgBTlnVkwgkdYzKz6CFQ2hns6tQRN8DBCBgNVHR8EOzA5MDeg NaAzhjFodHRwOi8vY2RwMS5wdWJsaWMtdHJ1c3QuY29tL0NSTC9PbW5pcm9vdDIw MjUuY3JsMB0GA1UdDgQWBBRxfzXe9XdxbR0SnOGQpLrwqYOPgDANBgkqhkiG9w0B AQsFAAOCAQEAVdI4Tzjt9OeY0EM41ZFr1Mk7M2sONPgvkW76GuNAgljUE2tBA/38 iZ9Escb5JMt1AiwCQ6qC+egj9jQQ5NPpyIQsXCHOQrPN/JUlUqYD7eB3FkGF1O0A nIBjWlFbGWV8Q2FPjUGQmfbZZYVnS3rCZyEPlw3y8WohBQwqVQ85KxnPZD8Sica+ SBN3m7W5du1W0rI6xUGuxoyDM3BRm6M2FhvwXy+2aXZcgXc8v3/e0ab14wNBE2FF RFZcOVzBypKv9FB9VKSiyloqdDiRO/+YJKItMm11vj4yxISLc2EQe/E3FoBW0oDX xBeu+JTgwWd9Xuy7diyPKFMi6sWJkatakg== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFQTCCBCmgAwIBAgIEByeO7zANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTEzMDczMTE5MTYxOFoX DTI1MDUwMTE5MTUzN1owMzELMAkGA1UEBhMCUFQxDTALBgNVBAoMBFNDRUUxFTAT BgNVBAMMDEVDUmFpekVzdGFkbzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC ggIBANvvokNuyKn9btffrKKShKHIWaAMmlP+767MGQ1yiqTCMyPv5wZy6m1LOkFS D8lIDi3numTuojpMY1xmKYvfqYjFvejx945L/AE8RBI5KnCiwNvFot9fx0vGqNw9 YXxKWMFEMpPecJmhIyZWP6Ph6l8wRth49TCjlgmJsD3xhpMFthJqGI3wpWQ7K4dk Xj0Xjgtu5pjMlzg4IIxwWmkrvWWNzTdZXGzRcnRZBk7ItwHXd7/wSIaosxpdQdQ3 FxEQX0pujXXFA0B9Ia4A8Nv8n2w6ZqTf98rfgGZa2dh/FKImGfSuCyHgyj4F3RbY flnaobBpw500E/plSTmH7nYvjb08JxkDTq0OCyssxi5xEzUpV+lw3BtR6s2X8ZWN sob6JgYvgBqV8Zg77vblhqXOGwHl9Okzyg9VRF9oiizHW2Yo3ZZLg51eHX4Y1f6y YPuaUWjDlowfaEtQUgs25jEn5NcpDBvaGy/hBFO41HlJsDuBXgiIInfiKcCucqqr tHJSvWy79bp42Zy4IG8wjUqdMvn0AeZieZhCQAV6bxwqP7X7380YQI7lEMQ5W1bx PFcFq9I5TT/4iyPHa7lAseL+/7McCmkfm4wPtB/gCt5I/Y1fj5n1AXYFNl2O3DOO UW4R4kH9zLeNKl8+kuXyseCkI+Kit8aNGJspStFGf/RkIBjdAgMBAAGjggE0MIIB MDASBgNVHRMBAf8ECDAGAQH/AgECMIGFBgNVHSAEfjB8MEgGCSsGAQQBsT4BADA7 MDkGCCsGAQUFBwIBFi1odHRwOi8vY3liZXJ0cnVzdC5vbW5pcm9vdC5jb20vcmVw b3NpdG9yeS5jZm0wMAYEVR0gADAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVj ZWUuZ292LnB0L2RwYzAOBgNVHQ8BAf8EBAMCAQYwHwYDVR0jBBgwFoAU5Z1ZMIJH WMys+ghUNoZ7OrUETfAwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NkcDEucHVi bGljLXRydXN0LmNvbS9DUkwvT21uaXJvb3QyMDI1LmNybDAdBgNVHQ4EFgQUcX81 3vV3cW0dEpzhkKS68KmDj4AwDQYJKoZIhvcNAQEFBQADggEBAB8jNzvsQrHKETpq qINH3V7AWRjMryd8W1+seAjsRWM+LxouHplQgHDu/j0hmq8xOveYFnl4ADZYuJWT 44HMBjw0qmygFpVdEpXL9zdmwDns/fgfQ7WdG9O1XNbSQz2TkRr69l6Y75cTj3YI CUaopgw2Yj/Qwd0vYg7GGzYEYmx0owFbyLP9py73EawBnqD1K1O1XfXJU19FH5O8 NOiZ+gpbIonF5VJbpZyzCvBzKC/d3Gyx0yRESRX2qcD95vvVzjd2mstgvznvZ9mR XeSlfjE18s6PG4PrVlOr+Z2ju/4sTIp2575rK1a/N/ppslj6LdVtlZLsXujz664t fpOGjz4= -----END CERTIFICATE-----
Comment 1•7 years ago
|
||
Ben, please confirm that these are not actually being revoked, but you are requesting that they be added to OneCRL anyways.
Assignee: kwilson → wthayer
Whiteboard: [ca-onecrl]
Reporter | ||
Comment 2•7 years ago
|
||
Could we hold this request in abeyance for a while during the period that Mozilla is considering the application of MULTICERT for inclusion as a trusted root? We had a discussion with the parties today. They have approximately 500 government web sites in Portugal that are using this trust chain. Once MULTICERT is included in the root store, they plan to provide these 500 gov't web sites with different certificates that chain up to MULTICERT's root.
Comment 3•7 years ago
|
||
Given the sheer amount of misissuance in this hierarchy, I think it really needs to be revoked, and I wouldn't hold my breath on their new roots being included. https://crt.sh/?caid=5132&opt=cablint,zlint,x509lint&minNotBefore=2000-01-01 https://crt.sh/?caid=606&opt=cablint,zlint,x509lint&minNotBefore=2000-01-01 See also: bug 1397961
Assignee | ||
Comment 4•7 years ago
|
||
Ben: What was the reason for wanting these cross-certs to be blocked via OneCRL? Jonathan: Other than 1262610, I wasn't able to find a misissuance bug for all the problems identified in your crt.sh links. Should one be created?
Flags: needinfo?(ben.wilson)
Comment 5•7 years ago
|
||
Yeah, I don't have time to do it right now, but I think investigation is warranted.
Reporter | ||
Comment 6•7 years ago
|
||
(In reply to Wayne Thayer [:wayne] from comment #4) > Ben: What was the reason for wanting these cross-certs to be blocked via > OneCRL? > > Jonathan: Other than 1262610, I wasn't able to find a misissuance bug for > all the problems identified in your crt.sh links. Should one be created? I thought that mainly the end entity certificates are for national ID cards for Portugal and not for SSL/TLS server auth. However, I learned that the Portuguese government is still relying on the CA cross certificate for approximately 400 government web sites.
Flags: needinfo?(ben.wilson)
Assignee | ||
Comment 7•7 years ago
|
||
(In reply to Ben Wilson from comment #6) > (In reply to Wayne Thayer [:wayne] from comment #4) > > Ben: What was the reason for wanting these cross-certs to be blocked via > > OneCRL? > > > > Jonathan: Other than 1262610, I wasn't able to find a misissuance bug for > > all the problems identified in your crt.sh links. Should one be created? > I created bug 1436173 requesting an incident report for the misissued certificated Jonathan identified. > I thought that mainly the end entity certificates are for national ID cards > for Portugal and not for SSL/TLS server auth. However, I learned that the > Portuguese government is still relying on the CA cross certificate for > approximately 400 government web sites. Closing this bug per Ben's comments.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•