[cabfpub] Incident report: Internal names in certs expiring after 1st November 2015
Erwann Abalea
erwann.abalea at opentrust.com
Wed Nov 11 23:01:53 UTC 2015
Bonsoir,
Thanks for this work.
> Le 11 nov. 2015 à 21:52, Rob Stradling <rob.stradling at comodo.com> a écrit :
>
> On 09/11/15 09:12, Rob Stradling wrote:
> <snip>
>> OTHER CAs:
>> We widened our investigation to look for certificates with notBefore >=
>> 2nd November 2014 that chain to publicly trusted roots and include any
>> Internal Names or Reserved IP Addresses. We found non-compliant
>> certificates issued by quite a number of other CAs, but I'll document
>> these in another post.
>
> We've listed those "non-compliant certificates issued by quite a number
> of other CAs" in this spreadsheet:
>
> https://docs.google.com/spreadsheets/d/13J1gm_3FX-K-3wgC8OuN2znevW_VzWv21ya76BK5OrM/edit?usp=sharing
>
> Notes:
[…]
> - The BRs defer to
> http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml for
> the list of IPv4 address ranges "that the IANA has marked as reserved".
> That page lists the 172/8 range as "LEGACY" rather than "RESERVED", so
> arguably 172.16.0.0 - 172.31.255.255 are _not_ Reserved IP Addresses
> according to the BRs. Since
> https://en.wikipedia.org/wiki/Private_network says otherwise, I've
> included that IPv4 address range in this report.
And you were right, because there’s a footnote in this ipv4-address-space.xml table saying that 172.16.0.0/12 is reserved.
The situation of 192/8 is similar albeit more complicated.
The footnotes section is interesting for people like me who don’t read all the network related RFCs.
Cordialement,
Erwann Abalea
More information about the Public
mailing list