[SSL Observatory] Duplicate private keys

Peter Eckersley pde at eff.org
Mon Apr 4 22:52:32 PDT 2011 

On Tue, Apr 05, 2011 at 05:44:30PM +1200, Peter Gutmann wrote:
> Peter Eckersley <pde at eff.org> writes:
> 
> >These are all DSA I think.  The number has grown to 25 in the December
> >dataset:
> 
> Wow, a whole 25 certs out of how many million?  That's almost as many as the
> number of ones using the CA's CEO's shoe size as the exponent, and is rapidly
> approaching the number using the IT director's license-plate number as the
> exponent.
> 
> Is there any pattern there?  Are they all used by the same organisation, or
> issued by the same CA?

Nope.

select distinct Issuer from vcerts where `Subject Public Key Info:RSA Public Key:Exponent` is null;
+---------------------------------------------------------------------------------------------------------------------------------------+
| Issuer                                                                                                                                |
+---------------------------------------------------------------------------------------------------------------------------------------+
|  C=US, O=Equifax, OU=Equifax Secure Certificate Authority                                                                             |
|  O=Deutsche Post World Net, OU=I2 PS, CN=DPWN SSL CA I2 PS                                                                            |
|  C=US, O=SecureTrust Corporation, CN=SecureTrust CA                                                                                   |
|  C=BE, O=Cybertrust, OU=Educational CA, CN=Cybertrust Educational CA                                                                  |
|  DC=com, DC=microsoft, DC=corp, DC=redmond, CN=Microsoft Secure Server Authority                                                      |
|  C=TW, O=TAIWAN-CA.COM Inc., OU=Certification Service Provider, CN=TaiCA Secure CA                                                    |
|  C=DE, O=TC TrustCenter GmbH, OU=TC TrustCenter Class 3 L1 CA, CN=TC TrustCenter Class 3 L1 CA V                                      |
|  C=DE, O=TC TrustCenter GmbH, OU=TC TrustCenter SSL CA, CN=TC TrustCenter SSL CA I                                                    |
|  C=ES, ST=MADRID, L=MADRID, O=ips Certification Authority, OU=Certificaciones, CN=ipsCA Level 1 CA/emailAddress=ipscalevel1 at ipsca.com |
|  C=US, O=Accenture, OU=Security, CN=Accenture Application Server CA                                                                   |
+---------------------------------------------------------------------------------------------------------------------------------------+

But you were right about Microsoft :)


-- 
Peter Eckersley                            pde at eff.org
Senior Staff Technologist         Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993

More information about the Observatory mailing list