Closed Bug 906611 Opened 10 years ago Closed 6 years ago

ImprovingRevocation: Intermediate CA Certificates previously revoked by COMODO

Tracking

(Not tracked)

Status:

RESOLVED FIXED

People

(Reporter: rob, Assigned: kwilson)

References

Details

Attachments

(1 file)

Intermediate CA Certificates previously revoked by COMODO 10 years ago Rob Stradling 7.32 KB, application/zip		Details

Rob Stradling

Reporter

Description

•

10 years ago

Attached file Intermediate CA Certificates previously revoked by COMODO — Details

Kathleen, as requested by your recent CA Communication (sent July 31st 2013), attached to this bug are all of the Intermediate CA Certificates that COMODO has previously revoked.

The Private Keys for all 6 of these Intermediates are controlled exclusively by COMODO.  All certificates chaining up to these Intermediates expired before May 2012.

I can't decide if "superseded" or "cessationOfOperation" would be the most appropriate CRL reasonCode for each of these 6 Intermediates.

We don't believe that these Intermediates pose any risk to Mozilla's users, and so we don't think it would be necessary to add them to your "revocation list push mechanism".  But if you want to add them anyway, that's fine.

Kathleen Wilson

Assignee

Updated

•

9 years ago

Blocks: OneCRL

Mark Goodwin [:mgoodwin]

Updated

•

8 years ago

Blocks: onecrl-meta
No longer blocks: OneCRL

Mark Goodwin [:mgoodwin]

Comment 1

•

8 years ago

In case we do decide to add these:

ASJCA-Client.cer
issuer is: MIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWls
serial is: D/wZ7+m1Mv8SONSEFcs73w==

ASJCA-Object.cer
issuer is: MIGVMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTEdMBsGA1UEAxMUVVROLVVTRVJGaXJzdC1PYmplY3Q=
serial is: Jq6jgeApiT9O4W2Tx/NTRQ==

ASJCA-Server.cer
issuer is: MIGXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTEfMB0GA1UEAxMWVVROLVVTRVJGaXJzdC1IYXJkd2FyZQ==
serial is: Xrr31RF0DoIzMKXS6XtD+g==

OpenFinanceNetwork.cer
issuer is: MHsxCzAJBgNVBAYTAkdCMRswGQYDVQQIDBJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcMB1NhbGZvcmQxGjAYBgNVBAoMEUNvbW9kbyBDQSBMaW1pdGVkMSEwHwYDVQQDDBhBQUEgQ2VydGlmaWNhdGUgU2VydmljZXM=
serial is: cgJbSXABDe/emSiQ04zz1g==

OpenFinanceNetwork_2.cer
issuer is: MIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWls
serial is: BglSlOqo4fFtORoX1kWjiw==

ResellerFlyCertificateServices.cer
issuer is: MIGXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTEfMB0GA1UEAxMWVVROLVVTRVJGaXJzdC1IYXJkd2FyZQ==
serial is: EEpERSryZFMagbsNw/WoWQ==

Mark Goodwin [:mgoodwin]

Updated

•

8 years ago

Depends on: 1161480

Rob Stradling

Reporter

Comment 2

•

7 years ago

Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates that we'd issued to WoSign:

https://crt.sh/?id=3223853
https://crt.sh/?id=12716343
https://crt.sh/?id=12716433

I think the combination of other measures previously taken (the removal of the "UTN - DATACorp SGC" root certificate, the revocation/blacklisting of the cross-certificates issued to "UTN - DATACorp SGC", and the technical constraints in these 3 cross-certificates issued to WoSign) should mean that these 3 cross-certificates are already not trusted by Mozilla users.

That said, if you want to actively distrust these 3 cross-certificates explicitly, please feel free to add them to OneCRL.

Kathleen Wilson

Assignee

Comment 3

•

7 years ago

> ASJCA-Client.cer
> issuer is:
> MIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wH
> AYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydX
> N0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEV
> tYWls
> serial is: D/wZ7+m1Mv8SONSEFcs73w==

Added to OneCRL

> 
> ASJCA-Object.cer
> issuer is:
> MIGVMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wH
> AYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydX
> N0LmNvbTEdMBsGA1UEAxMUVVROLVVTRVJGaXJzdC1PYmplY3Q=
> serial is: Jq6jgeApiT9O4W2Tx/NTRQ==

Added to OneCRL

> 
> ASJCA-Server.cer
> issuer is:
> MIGXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wH
> AYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydX
> N0LmNvbTEfMB0GA1UEAxMWVVROLVVTRVJGaXJzdC1IYXJkd2FyZQ==
> serial is: Xrr31RF0DoIzMKXS6XtD+g==

Added to OneCRL

> 
> OpenFinanceNetwork.cer
> issuer is:
> MHsxCzAJBgNVBAYTAkdCMRswGQYDVQQIDBJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcMB1Nhb
> GZvcmQxGjAYBgNVBAoMEUNvbW9kbyBDQSBMaW1pdGVkMSEwHwYDVQQDDBhBQUEgQ2VydGlmaWNhdG
> UgU2VydmljZXM=
> serial is: cgJbSXABDe/emSiQ04zz1g==

Expired. Won't be added to OneCRL

> 
> OpenFinanceNetwork_2.cer
> issuer is:
> MIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wH
> AYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydX
> N0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEV
> tYWls
> serial is: BglSlOqo4fFtORoX1kWjiw==

Expired. Won't be added to OneCRL.

> 
> ResellerFlyCertificateServices.cer
> issuer is:
> MIGXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wH
> AYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydX
> N0LmNvbTEfMB0GA1UEAxMWVVROLVVTRVJGaXJzdC1IYXJkd2FyZQ==
> serial is: EEpERSryZFMagbsNw/WoWQ==

Added to OneCRL.

Kathleen Wilson

Assignee

Comment 4

•

7 years ago

(In reply to Rob Stradling from comment #2)
> https://crt.sh/?id=3223853
Added to OneCRL

> https://crt.sh/?id=12716343
In CA Community in Salesforce as "Ready to Add" to OneCRL.

> https://crt.sh/?id=12716433
In CA Community in Salesforce as "Ready to Add" to OneCRL.

Kathleen Wilson

Assignee

Comment 5

•

6 years ago

(In reply to Kathleen Wilson from comment #4)
> > https://crt.sh/?id=12716343
> In CA Community in Salesforce as "Ready to Add" to OneCRL.
> 
> > https://crt.sh/?id=12716433
> In CA Community in Salesforce as "Ready to Add" to OneCRL.

These have been added to OneCRL.

Kathleen Wilson

Assignee

Comment 6

•

6 years ago

To my knowledge, all of the non-expired, non-technically-constrained revoked intermediate certs listed in this bug have been added to OneCRL.

All future revocations of intermediate certs should be reported as described here:
https://wiki.mozilla.org/CA:SalesforceCommunity#Add_Revoked_Intermediate_Certificate_Data_to_Salesforce

Thanks!

Status: ASSIGNED → RESOLVED

Closed: 6 years ago

Resolution: --- → FIXED

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

ImprovingRevocation: Intermediate CA Certificates previously revoked by COMODO

Categories

(NSS :: CA Certificates Code, task)

Tracking

(Not tracked)

People

(Reporter: rob, Assigned: kwilson)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Updated

Comment 1

Updated

Comment 2

Comment 3

Comment 4

Comment 5

Comment 6