search

JamesTheAwesomeDude / cerdicator

Enhanced TLS indicator with an emphasis on information about the Root Certificate Authority from which the connection's authenticity is derived
https://addons.mozilla.org/en-US/firefox/addon/cerdicator/
1 stars 3 forks source link

New USG CA #20

Closed JamesTheAwesomeDude closed 2 years ago

JamesTheAwesomeDude commented 3 years ago

DoD Root CA 3

B1:07:B3:3F:45:3E:55:10:F6:8E:51:31:10:C6:F6:94:4B:AC:C2:63:DF:01:37:F8:21:C1:B3:C2:F8:F8:63:D2

This one, bizarrely (and, seemingly, uniquely among the DoD root certs), does not have any cross-signature path grounding it the Federal Common Policy CA.

Though it shares aSubject, as well as the actual public key itself, with this certificate (which has been cross-signed, though expires much sooner).

Subject:
    commonName                = DoD Root CA 3
    organizationalUnitName    = PKI
    organizationalUnitName    = DoD
    organizationName          = U.S. Government
    countryName               = US
Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
        RSA Public-Key: (2048 bit)
        Modulus:
            00:a9:ec:14:72:8a:e8:4b:70:a3:da:10:03:84:a6:
            fb:a7:36:0d:2a:3a:52:16:bf:30:15:52:86:05:47:
            20:cf:aa:a6:cd:75:c4:64:6e:ef:f1:60:23:cb:0a:
            66:40:ae:b4:c8:68:2a:00:51:68:49:37:e9:59:32:
            4d:95:bc:43:27:e9:40:8d:3a:10:ce:14:bc:43:18:
            a1:f9:de:cc:e7:85:76:73:5e:18:1a:23:5b:bd:3f:
            1f:f2:ed:8d:19:cc:03:d1:40:a4:8f:a7:20:02:4c:
            27:5a:79:36:f6:a3:37:21:8e:00:5a:06:16:ca:d3:
            55:96:6f:31:29:bb:72:0e:cb:e2:48:51:f2:d4:37:
            a4:35:d6:6f:ee:17:b3:b1:06:ab:0b:19:86:e8:23:
            6d:31:1b:28:78:65:c5:de:62:52:bc:c1:7d:eb:ee:
            a0:5d:54:04:fb:b2:cb:2b:b2:23:54:91:82:4c:f0:
            bf:ba:74:40:3b:0c:04:45:80:67:5c:c5:eb:a2:57:
            c3:1a:7f:0a:2d:bd:7f:b9:dc:c1:99:b0:c8:07:e4:
            0c:86:36:94:3a:25:2f:f2:7d:e6:97:3c:1b:94:b4:
            97:59:06:c9:3a:e4:0b:d9:ea:e9:fc:3b:73:34:6f:
            fd:e7:98:e4:f3:a1:c2:90:5f:1c:f5:3f:2e:d7:19:
            d3:7f
        Exponent: 65537 (0x10001)

My guess is they just screwed something up during the renewal process, and whatever they did changed the fingerprint. [idle-interest-TODO: what did change?]

JamesTheAwesomeDude commented 2 years ago

According to censys, this CA actually does have validation paths back to the Federal Common Policy CA — what is unique is that Mozilla doesn't recognize these (of course, this is only a consequence of Mozilla's not recognizing the federal common policy CA anyway)

Closing this since the key actually is under the federal common policy CA in the trust tree; no need to add it separately