ImprovingRevocation: Intermediate CA Certificates previously revoked by COMODO

RESOLVED FIXED

Status

task
RESOLVED FIXED
6 years ago
2 years ago

People

(Reporter: Rob.Stradling, Assigned: kwilson)

Tracking

Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Kathleen, as requested by your recent CA Communication (sent July 31st 2013), attached to this bug are all of the Intermediate CA Certificates that COMODO has previously revoked.

The Private Keys for all 6 of these Intermediates are controlled exclusively by COMODO.  All certificates chaining up to these Intermediates expired before May 2012.

I can't decide if "superseded" or "cessationOfOperation" would be the most appropriate CRL reasonCode for each of these 6 Intermediates.

We don't believe that these Intermediates pose any risk to Mozilla's users, and so we don't think it would be necessary to add them to your "revocation list push mechanism".  But if you want to add them anyway, that's fine.
(Assignee)

Updated

5 years ago
Blocks: OneCRL
Blocks: onecrl-meta
No longer blocks: OneCRL
In case we do decide to add these:

ASJCA-Client.cer
issuer is: MIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWls
serial is: D/wZ7+m1Mv8SONSEFcs73w==

ASJCA-Object.cer
issuer is: MIGVMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTEdMBsGA1UEAxMUVVROLVVTRVJGaXJzdC1PYmplY3Q=
serial is: Jq6jgeApiT9O4W2Tx/NTRQ==

ASJCA-Server.cer
issuer is: MIGXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTEfMB0GA1UEAxMWVVROLVVTRVJGaXJzdC1IYXJkd2FyZQ==
serial is: Xrr31RF0DoIzMKXS6XtD+g==

OpenFinanceNetwork.cer
issuer is: MHsxCzAJBgNVBAYTAkdCMRswGQYDVQQIDBJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcMB1NhbGZvcmQxGjAYBgNVBAoMEUNvbW9kbyBDQSBMaW1pdGVkMSEwHwYDVQQDDBhBQUEgQ2VydGlmaWNhdGUgU2VydmljZXM=
serial is: cgJbSXABDe/emSiQ04zz1g==

OpenFinanceNetwork_2.cer
issuer is: MIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWls
serial is: BglSlOqo4fFtORoX1kWjiw==

ResellerFlyCertificateServices.cer
issuer is: MIGXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTEfMB0GA1UEAxMWVVROLVVTRVJGaXJzdC1IYXJkd2FyZQ==
serial is: EEpERSryZFMagbsNw/WoWQ==
Depends on: 1161480
(Reporter)

Comment 2

3 years ago
Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates that we'd issued to WoSign:

https://crt.sh/?id=3223853
https://crt.sh/?id=12716343
https://crt.sh/?id=12716433

I think the combination of other measures previously taken (the removal of the "UTN - DATACorp SGC" root certificate, the revocation/blacklisting of the cross-certificates issued to "UTN - DATACorp SGC", and the technical constraints in these 3 cross-certificates issued to WoSign) should mean that these 3 cross-certificates are already not trusted by Mozilla users.

That said, if you want to actively distrust these 3 cross-certificates explicitly, please feel free to add them to OneCRL.
(Assignee)

Comment 3

3 years ago
> ASJCA-Client.cer
> issuer is:
> MIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wH
> AYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydX
> N0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEV
> tYWls
> serial is: D/wZ7+m1Mv8SONSEFcs73w==

Added to OneCRL

> 
> ASJCA-Object.cer
> issuer is:
> MIGVMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wH
> AYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydX
> N0LmNvbTEdMBsGA1UEAxMUVVROLVVTRVJGaXJzdC1PYmplY3Q=
> serial is: Jq6jgeApiT9O4W2Tx/NTRQ==

Added to OneCRL

> 
> ASJCA-Server.cer
> issuer is:
> MIGXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wH
> AYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydX
> N0LmNvbTEfMB0GA1UEAxMWVVROLVVTRVJGaXJzdC1IYXJkd2FyZQ==
> serial is: Xrr31RF0DoIzMKXS6XtD+g==

Added to OneCRL

> 
> OpenFinanceNetwork.cer
> issuer is:
> MHsxCzAJBgNVBAYTAkdCMRswGQYDVQQIDBJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcMB1Nhb
> GZvcmQxGjAYBgNVBAoMEUNvbW9kbyBDQSBMaW1pdGVkMSEwHwYDVQQDDBhBQUEgQ2VydGlmaWNhdG
> UgU2VydmljZXM=
> serial is: cgJbSXABDe/emSiQ04zz1g==

Expired. Won't be added to OneCRL

> 
> OpenFinanceNetwork_2.cer
> issuer is:
> MIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wH
> AYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydX
> N0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEV
> tYWls
> serial is: BglSlOqo4fFtORoX1kWjiw==

Expired. Won't be added to OneCRL.

> 
> ResellerFlyCertificateServices.cer
> issuer is:
> MIGXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wH
> AYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydX
> N0LmNvbTEfMB0GA1UEAxMWVVROLVVTRVJGaXJzdC1IYXJkd2FyZQ==
> serial is: EEpERSryZFMagbsNw/WoWQ==

Added to OneCRL.
(Assignee)

Comment 4

3 years ago
(In reply to Rob Stradling from comment #2)
> https://crt.sh/?id=3223853
Added to OneCRL

> https://crt.sh/?id=12716343
In CA Community in Salesforce as "Ready to Add" to OneCRL.

> https://crt.sh/?id=12716433
In CA Community in Salesforce as "Ready to Add" to OneCRL.
(Assignee)

Comment 5

2 years ago
(In reply to Kathleen Wilson from comment #4)
> > https://crt.sh/?id=12716343
> In CA Community in Salesforce as "Ready to Add" to OneCRL.
> 
> > https://crt.sh/?id=12716433
> In CA Community in Salesforce as "Ready to Add" to OneCRL.

These have been added to OneCRL.
(Assignee)

Comment 6

2 years ago
To my knowledge, all of the non-expired, non-technically-constrained revoked intermediate certs listed in this bug have been added to OneCRL.

All future revocations of intermediate certs should be reported as described here:
https://wiki.mozilla.org/CA:SalesforceCommunity#Add_Revoked_Intermediate_Certificate_Data_to_Salesforce

Thanks!
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.