Closed
Bug 906611
Opened 10 years ago
Closed 7 years ago
ImprovingRevocation: Intermediate CA Certificates previously revoked by COMODO
Categories
(NSS :: CA Certificates Code, task)
NSS
CA Certificates Code
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: rob, Assigned: kwilson)
References
Details
Attachments
(1 file)
7.32 KB,
application/zip
|
Details |
Kathleen, as requested by your recent CA Communication (sent July 31st 2013), attached to this bug are all of the Intermediate CA Certificates that COMODO has previously revoked. The Private Keys for all 6 of these Intermediates are controlled exclusively by COMODO. All certificates chaining up to these Intermediates expired before May 2012. I can't decide if "superseded" or "cessationOfOperation" would be the most appropriate CRL reasonCode for each of these 6 Intermediates. We don't believe that these Intermediates pose any risk to Mozilla's users, and so we don't think it would be necessary to add them to your "revocation list push mechanism". But if you want to add them anyway, that's fine.
Updated•9 years ago
|
Comment 1•9 years ago
|
||
In case we do decide to add these: ASJCA-Client.cer issuer is: MIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWls serial is: D/wZ7+m1Mv8SONSEFcs73w== ASJCA-Object.cer issuer is: MIGVMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTEdMBsGA1UEAxMUVVROLVVTRVJGaXJzdC1PYmplY3Q= serial is: Jq6jgeApiT9O4W2Tx/NTRQ== ASJCA-Server.cer issuer is: MIGXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTEfMB0GA1UEAxMWVVROLVVTRVJGaXJzdC1IYXJkd2FyZQ== serial is: Xrr31RF0DoIzMKXS6XtD+g== OpenFinanceNetwork.cer issuer is: MHsxCzAJBgNVBAYTAkdCMRswGQYDVQQIDBJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcMB1NhbGZvcmQxGjAYBgNVBAoMEUNvbW9kbyBDQSBMaW1pdGVkMSEwHwYDVQQDDBhBQUEgQ2VydGlmaWNhdGUgU2VydmljZXM= serial is: cgJbSXABDe/emSiQ04zz1g== OpenFinanceNetwork_2.cer issuer is: MIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWls serial is: BglSlOqo4fFtORoX1kWjiw== ResellerFlyCertificateServices.cer issuer is: MIGXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTEfMB0GA1UEAxMWVVROLVVTRVJGaXJzdC1IYXJkd2FyZQ== serial is: EEpERSryZFMagbsNw/WoWQ==
Reporter | ||
Comment 2•7 years ago
|
||
Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates that we'd issued to WoSign: https://crt.sh/?id=3223853 https://crt.sh/?id=12716343 https://crt.sh/?id=12716433 I think the combination of other measures previously taken (the removal of the "UTN - DATACorp SGC" root certificate, the revocation/blacklisting of the cross-certificates issued to "UTN - DATACorp SGC", and the technical constraints in these 3 cross-certificates issued to WoSign) should mean that these 3 cross-certificates are already not trusted by Mozilla users. That said, if you want to actively distrust these 3 cross-certificates explicitly, please feel free to add them to OneCRL.
Assignee | ||
Comment 3•7 years ago
|
||
> ASJCA-Client.cer > issuer is: > MIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wH > AYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydX > N0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEV > tYWls > serial is: D/wZ7+m1Mv8SONSEFcs73w== Added to OneCRL > > ASJCA-Object.cer > issuer is: > MIGVMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wH > AYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydX > N0LmNvbTEdMBsGA1UEAxMUVVROLVVTRVJGaXJzdC1PYmplY3Q= > serial is: Jq6jgeApiT9O4W2Tx/NTRQ== Added to OneCRL > > ASJCA-Server.cer > issuer is: > MIGXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wH > AYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydX > N0LmNvbTEfMB0GA1UEAxMWVVROLVVTRVJGaXJzdC1IYXJkd2FyZQ== > serial is: Xrr31RF0DoIzMKXS6XtD+g== Added to OneCRL > > OpenFinanceNetwork.cer > issuer is: > MHsxCzAJBgNVBAYTAkdCMRswGQYDVQQIDBJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcMB1Nhb > GZvcmQxGjAYBgNVBAoMEUNvbW9kbyBDQSBMaW1pdGVkMSEwHwYDVQQDDBhBQUEgQ2VydGlmaWNhdG > UgU2VydmljZXM= > serial is: cgJbSXABDe/emSiQ04zz1g== Expired. Won't be added to OneCRL > > OpenFinanceNetwork_2.cer > issuer is: > MIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wH > AYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydX > N0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEV > tYWls > serial is: BglSlOqo4fFtORoX1kWjiw== Expired. Won't be added to OneCRL. > > ResellerFlyCertificateServices.cer > issuer is: > MIGXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wH > AYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydX > N0LmNvbTEfMB0GA1UEAxMWVVROLVVTRVJGaXJzdC1IYXJkd2FyZQ== > serial is: EEpERSryZFMagbsNw/WoWQ== Added to OneCRL.
Assignee | ||
Comment 4•7 years ago
|
||
(In reply to Rob Stradling from comment #2) > https://crt.sh/?id=3223853 Added to OneCRL > https://crt.sh/?id=12716343 In CA Community in Salesforce as "Ready to Add" to OneCRL. > https://crt.sh/?id=12716433 In CA Community in Salesforce as "Ready to Add" to OneCRL.
Assignee | ||
Comment 5•7 years ago
|
||
(In reply to Kathleen Wilson from comment #4) > > https://crt.sh/?id=12716343 > In CA Community in Salesforce as "Ready to Add" to OneCRL. > > > https://crt.sh/?id=12716433 > In CA Community in Salesforce as "Ready to Add" to OneCRL. These have been added to OneCRL.
Assignee | ||
Comment 6•7 years ago
|
||
To my knowledge, all of the non-expired, non-technically-constrained revoked intermediate certs listed in this bug have been added to OneCRL. All future revocations of intermediate certs should be reported as described here: https://wiki.mozilla.org/CA:SalesforceCommunity#Add_Revoked_Intermediate_Certificate_Data_to_Salesforce Thanks!
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•