User Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Steps to reproduce:
https://crt.sh/?sha256=421329f0dc2f683d6e96c1b5b310974d0997ad984ef69120f55372b4f48e1037 is mis-issued.
google.com has a CAA RR which only allows pki.goog to issue certificates for this domain (I know, this is not a hard proof because this may have changed, but I am very confident it didn’t change)
$ dig +short google.com caa
0 issue "pki.goog"
The certificate also has other issues. Here is the ouptut of the zlint -longSummary:
| LEVEL | # OCCURRENCES | DETAILS |
+-------+---------------+-----------------------------------------------------+
| info | 0 | - |
| warn | 3 | w_ext_san_critical_with_subject_dn |
| | | w_ext_subject_key_identifier_missing_sub_cert |
| | | w_subject_common_name_included |
| error | 3 | e_rsa_allowed_ku_ee |
| | | e_sub_cert_basic_constraints_not_critical |
| | | e_invalid_subject_rdn_order |
| fatal | 0 | - |
I don’t think ICP-Brasil is publicly trusted. I found inclusion requests, e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1674669 or https://bugzilla.mozilla.org/show_bug.cgi?id=438825 or https://bugzilla.mozilla.org/show_bug.cgi?id=1677631.
I would like to add this mis-issuance to the list of events to consider when including (or not) ICP-Brasil in the Mozilla root store.
Actual results:
The certificate is mis-issued.
Expected results:
The certificate should not have been issued.
