Closed Bug 1432608 Opened 2 years ago Closed 2 years ago

Add EC Raiz Estado Cross Certificates to OneCRL

Categories

(NSS :: CA Certificate Root Program, task)

task
Not set

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: benwilsonusa, Assigned: wayne)

Details

(Whiteboard: [ca-onecrl])

The following four (4) cross certificates issued by the Baltimore Cybertrust Root to the EC Raiz Estado Root CA should be added to OneCRL to prevent them from being trusted for issuing certificates for SSL/TLS Server Authentication.

-----BEGIN CERTIFICATE-----
MIIFhTCCBG2gAwIBAgIEByfTSjANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE1MDkwOTE3MzQyMloX
DTIyMDkzMDE3MzIyM1owMzELMAkGA1UEBhMCUFQxDTALBgNVBAoMBFNDRUUxFTAT
BgNVBAMMDEVDUmFpekVzdGFkbzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
ggIBANvvokNuyKn9btffrKKShKHIWaAMmlP+767MGQ1yiqTCMyPv5wZy6m1LOkFS
D8lIDi3numTuojpMY1xmKYvfqYjFvejx945L/AE8RBI5KnCiwNvFot9fx0vGqNw9
YXxKWMFEMpPecJmhIyZWP6Ph6l8wRth49TCjlgmJsD3xhpMFthJqGI3wpWQ7K4dk
Xj0Xjgtu5pjMlzg4IIxwWmkrvWWNzTdZXGzRcnRZBk7ItwHXd7/wSIaosxpdQdQ3
FxEQX0pujXXFA0B9Ia4A8Nv8n2w6ZqTf98rfgGZa2dh/FKImGfSuCyHgyj4F3RbY
flnaobBpw500E/plSTmH7nYvjb08JxkDTq0OCyssxi5xEzUpV+lw3BtR6s2X8ZWN
sob6JgYvgBqV8Zg77vblhqXOGwHl9Okzyg9VRF9oiizHW2Yo3ZZLg51eHX4Y1f6y
YPuaUWjDlowfaEtQUgs25jEn5NcpDBvaGy/hBFO41HlJsDuBXgiIInfiKcCucqqr
tHJSvWy79bp42Zy4IG8wjUqdMvn0AeZieZhCQAV6bxwqP7X7380YQI7lEMQ5W1bx
PFcFq9I5TT/4iyPHa7lAseL+/7McCmkfm4wPtB/gCt5I/Y1fj5n1AXYFNl2O3DOO
UW4R4kH9zLeNKl8+kuXyseCkI+Kit8aNGJspStFGf/RkIBjdAgMBAAGjggF4MIIB
dDASBgNVHRMBAf8ECDAGAQH/AgECMIGFBgNVHSAEfjB8MEgGCSsGAQQBsT4BADA7
MDkGCCsGAQUFBwIBFi1odHRwOi8vY3liZXJ0cnVzdC5vbW5pcm9vdC5jb20vcmVw
b3NpdG9yeS5jZm0wMAYEVR0gADAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVj
ZWUuZ292LnB0L2RwYzBCBggrBgEFBQcBAQQ2MDQwMgYIKwYBBQUHMAGGJmh0dHA6
Ly9vY3NwLm9tbmlyb290LmNvbS9iYWx0aW1vcmVyb290MA4GA1UdDwEB/wQEAwIB
BjAfBgNVHSMEGDAWgBTlnVkwgkdYzKz6CFQ2hns6tQRN8DBCBgNVHR8EOzA5MDeg
NaAzhjFodHRwOi8vY2RwMS5wdWJsaWMtdHJ1c3QuY29tL0NSTC9PbW5pcm9vdDIw
MjUuY3JsMB0GA1UdDgQWBBRxfzXe9XdxbR0SnOGQpLrwqYOPgDANBgkqhkiG9w0B
AQUFAAOCAQEABAMyjt7/FHhdDg+x4Ma6dy2W/m+V0k0XrVC0TQJZfkGi3xSWwgwy
t/1P9LIbd+5ZxbvVTndWIUj8E2QzHdzIMLlBNrMCpK9/yS6JvLad+aYry68dobkC
Nd2bj5xFBg8ZfNSturqx+HCZggj4C3YK5ib40XvQ+spe/9QeelT0ipPsW2qt9E0S
WcSJyBEZ0xjGO3gFo9h3CmSfsOPR12+7uPiHxeW+IttL/y57/Cc/d6UefPbuXR6O
lZxdi7yNJUMgYuLXAImg0uPGa5Ch1W7IRhsQAfaYzk1aeDcYowfaX+n5yNsJcf/X
t0BOcY2aVluEM8+p5F3HQYMNWytpRzTA5g==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIFQTCCBCmgAwIBAgIEByeO7jANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTEzMDczMTE5MDQxNloX
DTIzMDczMTE5MDMyMVowMzELMAkGA1UEBhMCUFQxDTALBgNVBAoMBFNDRUUxFTAT
BgNVBAMMDEVDUmFpekVzdGFkbzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
ggIBANvvokNuyKn9btffrKKShKHIWaAMmlP+767MGQ1yiqTCMyPv5wZy6m1LOkFS
D8lIDi3numTuojpMY1xmKYvfqYjFvejx945L/AE8RBI5KnCiwNvFot9fx0vGqNw9
YXxKWMFEMpPecJmhIyZWP6Ph6l8wRth49TCjlgmJsD3xhpMFthJqGI3wpWQ7K4dk
Xj0Xjgtu5pjMlzg4IIxwWmkrvWWNzTdZXGzRcnRZBk7ItwHXd7/wSIaosxpdQdQ3
FxEQX0pujXXFA0B9Ia4A8Nv8n2w6ZqTf98rfgGZa2dh/FKImGfSuCyHgyj4F3RbY
flnaobBpw500E/plSTmH7nYvjb08JxkDTq0OCyssxi5xEzUpV+lw3BtR6s2X8ZWN
sob6JgYvgBqV8Zg77vblhqXOGwHl9Okzyg9VRF9oiizHW2Yo3ZZLg51eHX4Y1f6y
YPuaUWjDlowfaEtQUgs25jEn5NcpDBvaGy/hBFO41HlJsDuBXgiIInfiKcCucqqr
tHJSvWy79bp42Zy4IG8wjUqdMvn0AeZieZhCQAV6bxwqP7X7380YQI7lEMQ5W1bx
PFcFq9I5TT/4iyPHa7lAseL+/7McCmkfm4wPtB/gCt5I/Y1fj5n1AXYFNl2O3DOO
UW4R4kH9zLeNKl8+kuXyseCkI+Kit8aNGJspStFGf/RkIBjdAgMBAAGjggE0MIIB
MDASBgNVHRMBAf8ECDAGAQH/AgECMIGFBgNVHSAEfjB8MEgGCSsGAQQBsT4BADA7
MDkGCCsGAQUFBwIBFi1odHRwOi8vY3liZXJ0cnVzdC5vbW5pcm9vdC5jb20vcmVw
b3NpdG9yeS5jZm0wMAYEVR0gADAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVj
ZWUuZ292LnB0L2RwYzAOBgNVHQ8BAf8EBAMCAQYwHwYDVR0jBBgwFoAU5Z1ZMIJH
WMys+ghUNoZ7OrUETfAwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NkcDEucHVi
bGljLXRydXN0LmNvbS9DUkwvT21uaXJvb3QyMDI1LmNybDAdBgNVHQ4EFgQUcX81
3vV3cW0dEpzhkKS68KmDj4AwDQYJKoZIhvcNAQEFBQADggEBABw+auHdbbW8+mfF
OLraR0l0B1RIa0j47lEEoetfllzcozUhUsR2X0vGZIEREYAsjZiGEIuAZb0sgvMO
b4zPimr0clMjjuJDb33w715tIdL9ceuiTbHpMYalO/QS2092FSO08HKm2G4bMM38
8nufD8/ZlI7wNfY0yXv7WipSXwaFCa1m67i5fAcb9foIYpBjVOkJNXjsrIfzI5Td
K8FvdrfNtqoUZoMATz4E/jHwVEwsVzhPeZxNCIFh3tSyDBKhrOxlAKfWhl7C9TsI
sp0JPKMe5V5q4DeGwlu2Cvipi2KYDr+Xlx6QYdWUSfyOv4Eakhy/grMW6Iyjqu1L
KYYgEWQ=
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIFhTCCBG2gAwIBAgIEByfTSzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJJ
RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE1MDkwOTE3NDAxMloX
DTIyMDkzMDE3MzkxMVowMzELMAkGA1UEBhMCUFQxDTALBgNVBAoMBFNDRUUxFTAT
BgNVBAMMDEVDUmFpekVzdGFkbzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
ggIBANvvokNuyKn9btffrKKShKHIWaAMmlP+767MGQ1yiqTCMyPv5wZy6m1LOkFS
D8lIDi3numTuojpMY1xmKYvfqYjFvejx945L/AE8RBI5KnCiwNvFot9fx0vGqNw9
YXxKWMFEMpPecJmhIyZWP6Ph6l8wRth49TCjlgmJsD3xhpMFthJqGI3wpWQ7K4dk
Xj0Xjgtu5pjMlzg4IIxwWmkrvWWNzTdZXGzRcnRZBk7ItwHXd7/wSIaosxpdQdQ3
FxEQX0pujXXFA0B9Ia4A8Nv8n2w6ZqTf98rfgGZa2dh/FKImGfSuCyHgyj4F3RbY
flnaobBpw500E/plSTmH7nYvjb08JxkDTq0OCyssxi5xEzUpV+lw3BtR6s2X8ZWN
sob6JgYvgBqV8Zg77vblhqXOGwHl9Okzyg9VRF9oiizHW2Yo3ZZLg51eHX4Y1f6y
YPuaUWjDlowfaEtQUgs25jEn5NcpDBvaGy/hBFO41HlJsDuBXgiIInfiKcCucqqr
tHJSvWy79bp42Zy4IG8wjUqdMvn0AeZieZhCQAV6bxwqP7X7380YQI7lEMQ5W1bx
PFcFq9I5TT/4iyPHa7lAseL+/7McCmkfm4wPtB/gCt5I/Y1fj5n1AXYFNl2O3DOO
UW4R4kH9zLeNKl8+kuXyseCkI+Kit8aNGJspStFGf/RkIBjdAgMBAAGjggF4MIIB
dDASBgNVHRMBAf8ECDAGAQH/AgECMIGFBgNVHSAEfjB8MEgGCSsGAQQBsT4BADA7
MDkGCCsGAQUFBwIBFi1odHRwOi8vY3liZXJ0cnVzdC5vbW5pcm9vdC5jb20vcmVw
b3NpdG9yeS5jZm0wMAYEVR0gADAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVj
ZWUuZ292LnB0L2RwYzBCBggrBgEFBQcBAQQ2MDQwMgYIKwYBBQUHMAGGJmh0dHA6
Ly9vY3NwLm9tbmlyb290LmNvbS9iYWx0aW1vcmVyb290MA4GA1UdDwEB/wQEAwIB
BjAfBgNVHSMEGDAWgBTlnVkwgkdYzKz6CFQ2hns6tQRN8DBCBgNVHR8EOzA5MDeg
NaAzhjFodHRwOi8vY2RwMS5wdWJsaWMtdHJ1c3QuY29tL0NSTC9PbW5pcm9vdDIw
MjUuY3JsMB0GA1UdDgQWBBRxfzXe9XdxbR0SnOGQpLrwqYOPgDANBgkqhkiG9w0B
AQsFAAOCAQEAVdI4Tzjt9OeY0EM41ZFr1Mk7M2sONPgvkW76GuNAgljUE2tBA/38
iZ9Escb5JMt1AiwCQ6qC+egj9jQQ5NPpyIQsXCHOQrPN/JUlUqYD7eB3FkGF1O0A
nIBjWlFbGWV8Q2FPjUGQmfbZZYVnS3rCZyEPlw3y8WohBQwqVQ85KxnPZD8Sica+
SBN3m7W5du1W0rI6xUGuxoyDM3BRm6M2FhvwXy+2aXZcgXc8v3/e0ab14wNBE2FF
RFZcOVzBypKv9FB9VKSiyloqdDiRO/+YJKItMm11vj4yxISLc2EQe/E3FoBW0oDX
xBeu+JTgwWd9Xuy7diyPKFMi6sWJkatakg==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIFQTCCBCmgAwIBAgIEByeO7zANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTEzMDczMTE5MTYxOFoX
DTI1MDUwMTE5MTUzN1owMzELMAkGA1UEBhMCUFQxDTALBgNVBAoMBFNDRUUxFTAT
BgNVBAMMDEVDUmFpekVzdGFkbzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
ggIBANvvokNuyKn9btffrKKShKHIWaAMmlP+767MGQ1yiqTCMyPv5wZy6m1LOkFS
D8lIDi3numTuojpMY1xmKYvfqYjFvejx945L/AE8RBI5KnCiwNvFot9fx0vGqNw9
YXxKWMFEMpPecJmhIyZWP6Ph6l8wRth49TCjlgmJsD3xhpMFthJqGI3wpWQ7K4dk
Xj0Xjgtu5pjMlzg4IIxwWmkrvWWNzTdZXGzRcnRZBk7ItwHXd7/wSIaosxpdQdQ3
FxEQX0pujXXFA0B9Ia4A8Nv8n2w6ZqTf98rfgGZa2dh/FKImGfSuCyHgyj4F3RbY
flnaobBpw500E/plSTmH7nYvjb08JxkDTq0OCyssxi5xEzUpV+lw3BtR6s2X8ZWN
sob6JgYvgBqV8Zg77vblhqXOGwHl9Okzyg9VRF9oiizHW2Yo3ZZLg51eHX4Y1f6y
YPuaUWjDlowfaEtQUgs25jEn5NcpDBvaGy/hBFO41HlJsDuBXgiIInfiKcCucqqr
tHJSvWy79bp42Zy4IG8wjUqdMvn0AeZieZhCQAV6bxwqP7X7380YQI7lEMQ5W1bx
PFcFq9I5TT/4iyPHa7lAseL+/7McCmkfm4wPtB/gCt5I/Y1fj5n1AXYFNl2O3DOO
UW4R4kH9zLeNKl8+kuXyseCkI+Kit8aNGJspStFGf/RkIBjdAgMBAAGjggE0MIIB
MDASBgNVHRMBAf8ECDAGAQH/AgECMIGFBgNVHSAEfjB8MEgGCSsGAQQBsT4BADA7
MDkGCCsGAQUFBwIBFi1odHRwOi8vY3liZXJ0cnVzdC5vbW5pcm9vdC5jb20vcmVw
b3NpdG9yeS5jZm0wMAYEVR0gADAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVj
ZWUuZ292LnB0L2RwYzAOBgNVHQ8BAf8EBAMCAQYwHwYDVR0jBBgwFoAU5Z1ZMIJH
WMys+ghUNoZ7OrUETfAwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NkcDEucHVi
bGljLXRydXN0LmNvbS9DUkwvT21uaXJvb3QyMDI1LmNybDAdBgNVHQ4EFgQUcX81
3vV3cW0dEpzhkKS68KmDj4AwDQYJKoZIhvcNAQEFBQADggEBAB8jNzvsQrHKETpq
qINH3V7AWRjMryd8W1+seAjsRWM+LxouHplQgHDu/j0hmq8xOveYFnl4ADZYuJWT
44HMBjw0qmygFpVdEpXL9zdmwDns/fgfQ7WdG9O1XNbSQz2TkRr69l6Y75cTj3YI
CUaopgw2Yj/Qwd0vYg7GGzYEYmx0owFbyLP9py73EawBnqD1K1O1XfXJU19FH5O8
NOiZ+gpbIonF5VJbpZyzCvBzKC/d3Gyx0yRESRX2qcD95vvVzjd2mstgvznvZ9mR
XeSlfjE18s6PG4PrVlOr+Z2ju/4sTIp2575rK1a/N/ppslj6LdVtlZLsXujz664t
fpOGjz4=
-----END CERTIFICATE-----
Ben, please confirm that these are not actually being revoked, but you are requesting that they be added to OneCRL anyways.
Assignee: kwilson → wthayer
Whiteboard: [ca-onecrl]
Could we hold this request in abeyance for a while during the period that Mozilla is considering the application of MULTICERT for inclusion as a trusted root?  We had a discussion with the parties today.  They have approximately 500 government web sites in Portugal that are using this trust chain.  Once MULTICERT is included in the root store, they plan to provide these 500 gov't web sites with different certificates that chain up to MULTICERT's root.
Given the sheer amount of misissuance in this hierarchy, I think it really needs to be revoked, and I wouldn't hold my breath on their new roots being included.

https://crt.sh/?caid=5132&opt=cablint,zlint,x509lint&minNotBefore=2000-01-01
https://crt.sh/?caid=606&opt=cablint,zlint,x509lint&minNotBefore=2000-01-01

See also: bug 1397961
Ben: What was the reason for wanting these cross-certs to be blocked via OneCRL?

Jonathan: Other than 1262610, I wasn't able to find a misissuance bug for all the problems identified in your crt.sh links. Should one be created?
Flags: needinfo?(ben.wilson)
Yeah, I don't have time to do it right now, but I think investigation is warranted.
(In reply to Wayne Thayer [:wayne] from comment #4)
> Ben: What was the reason for wanting these cross-certs to be blocked via
> OneCRL?
> 
> Jonathan: Other than 1262610, I wasn't able to find a misissuance bug for
> all the problems identified in your crt.sh links. Should one be created?

I thought that mainly the end entity certificates are for national ID cards for Portugal and not for SSL/TLS server auth.  However, I learned that the Portuguese government is still relying on the CA cross certificate for approximately 400 government web sites.
Flags: needinfo?(ben.wilson)
(In reply to Ben Wilson from comment #6)
> (In reply to Wayne Thayer [:wayne] from comment #4)
> > Ben: What was the reason for wanting these cross-certs to be blocked via
> > OneCRL?
> > 
> > Jonathan: Other than 1262610, I wasn't able to find a misissuance bug for
> > all the problems identified in your crt.sh links. Should one be created?
> 
I created bug 1436173 requesting an incident report for the misissued certificated Jonathan identified.

> I thought that mainly the end entity certificates are for national ID cards
> for Portugal and not for SSL/TLS server auth.  However, I learned that the
> Portuguese government is still relying on the CA cross certificate for
> approximately 400 government web sites.

Closing this bug per Ben's comments.
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.