Entrust: Invalid data in commonName fields
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: fozzie, Assigned: bruce.morton)
Details
(Whiteboard: [ca-compliance])
Entrust has issued certificates with invalid data in the commonName field. Some of these certificates have been revoked which indicates that Entrust knows about this issue but I couldn't find an incident posted here.
https://crt.sh/?q=cf358955f002f9688c1acac0445dc5cfb8998c279306e2c0eed3a828235188d5
https://crt.sh/?q=4736b1485d737a312bfa1a20cd394d96cf0c695669f64856119ab77676d7e855
https://crt.sh/?q=7e6cbe35abcefdec58e070b8e7bc8e881c68151bd5dc39801645b3eb138cba94
https://crt.sh/?q=2c1953b7eb005e80511d70478caf7572321c7976263c61c4838accae4a54c8c8
https://crt.sh/?q=e6199246429afeda6cbe6cb998cb5906c5e0a3b07a14ffa90f9c0849474f6749
https://crt.sh/?q=04dc13010cd041c17c6654fc65518b1855e2cf7b8fbaad8a5dfe5a512cf0c6ca
https://crt.sh/?q=b59e94c004c23b167c76853db43044edafb029d7ae8ab73bf2a55b637fb26530
https://crt.sh/?q=e992ffcc621489a949b6b410d3f03fe8ea6d0ebbd184c7a2fa1b58a69a29a8e9
https://crt.sh/?q=52140dae73aae7a9020f0dacc4938a62502c4312204f30a46674b7c4b48198d1
There are probably other certificates.
Reporter | ||
Comment 1•5 years ago
|
||
I haven't found any certificates issued after 2020-08-17 (the revocation date in certificate #2 linked) so I think this issue has been fixed for new issuances.
Updated•5 years ago
|
George, it seems like those certificates were not issued by an SSL-enabled CA (all issued by https://crt.sh/?caid=114082), and don't use BR profile identifiers. Nor is that CA technically capable of issuing server or email certificates. The certificates are instead issued under the "Verified Mark Certificates" profile of Entrust's CPS, using the VMC Guidelines as their base profile, as can be found here: bimigroup.org/resources/VMC_Guidelines_latest.pdf
I think this is not a problem in the scope of Mozilla's root store.
Reporter | ||
Comment 3•5 years ago
|
||
I think you're right Matthias. I missed the OIDs on Censys. I'll close this as INVALID. Thanks!
Updated•3 years ago
|
Description
•