This is just an irregularity I noticed when investigating censys: there are 897.9 million RSA certificates that are valid and chain to the Mozilla root store at the time of writing. Of those 897.9 million there are twenty (20) where the exponent isn't the standard 65537.
Baseline Requirements only care that it's greater than 3 and not odd, and all of these are above 65537 but I think it's worth documenting the outliers given they are few and far between. So in increasing order of exponent: 65541: 60879c596929cf95839401d0a4f317ac502e28f469185e74d824cc4a90fb4255 [Go Daddy] 61f5ddd00d51fd2140fbf7f6c6038d26fc29a4e881d738da4b2148fc66ee39ab [GlobalSign] a6d591fd761f27edf00ac4ae4c8d300633aa77389e60c96310f3f66aa31e57e3 [Go Daddy] c2584bf11b4b0fd388c43b42c6f70a8c4e5bd9dce278a352204584e872c3f402 [GlobalSign] cf03a551bed54947058e303737f28db3ca69c808460d34164c7b88d63c01fd27 [GlobalSign] 65567: 8156694b84bcc61224dbf474d02f75108fdb5b2a903f934537d222fbe7eb10ea [Entrust] (Chaining to Sectigo) 65577: 48fc4d840c3ae97604662fe25007fd26d266a2dc21ff1a05ee9517ea99032ec7 [GlobalSign] 77eb5bc9fb32d3003d83de60d422fc3dcd237280a90cd98d1f7843dd00ba1390 [GlobalSign] 909c52586a38171def0bb73afc74f893e5b1d9911784bfcc5a995b5c0481f2b8 [GlobalSign] d35cbf6be776c79fe5132b38d849fecdf93a5c7cb57fabbbe349af1e68d0b2df [GlobalSign] ffd25743609cc72fdcbc2e57a5d6a8c3f6049fa09e839420d65b88d6f87bc370 [GlobalSign] 90649: f91606d1bc52c610136caa856ab500c48c3b993bac4808cd82bc4b78abf24156 [NetLock] - Intermediate 91983: 7ecaca4a3585a3b40e25574415512d56b57999b753017856f2ab15fa1f21f6d0 [NetLock] - Intermediate 129515: 047795785cdcff9e6e0ae122492e5b7bf08a9e5c49762e2bcb52747c69031561 [NetLock] - Intermediate 133257: 46a094e6b5b2698efd86a4862fc1425dbf5694c5fe5cc6d63c783d1afff34846 [Go Daddy] 4e02a4a9e78eea53a70a59b580f06c170ccd3fc96615da11cbb88caf203fc7ae [Go Daddy] 262147: 3af4339d08ec8ef90d9d57b2b68f53bc78108f45c2791548d83d6810a699d22b [ZeroSSL] 92d01842fb6275890ef74aad742990efd76aba0604203b327f3270e805b6f356 [ZeroSSL] b2fd1f34d6d5f3b0f3d8caab7fc4ac43cd1543b6a03d7cb4b22c41053d4773c8 [ZeroSSL] 1073741953: 69491b6c5039feb54ba8722e6b4502bb8ace12a11aa236fa622a75427eecf06d [Deutsche Telekom] Censys Query: (cert.labels="trusted" and cert.validation.nss.has_trusted_path="true" and not cert.labels="revoked" and cert.parsed.extensions.extended_key_usage.server_auth="true") and not cert.parsed.subject_key_info.rsa.exponent="65537" and cert.parsed.subject_key_info.key_algorithm.name="RSA" For those wondering outside of the Mozilla ecosystem the worst is a Cisco Intermediate with an exponent of 3: c74d4b4a14519dd065191d96845e8d4ec851436bc559c4a45e24ca5c7c01fcd3 Then it's a jump to 36131/39639 for some Kazakhstan banks that Visa gave certs to this February but that are only valid in the Microsoft chain. - Wayne -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/2191197d-5fa3-4de1-8131-2cdbb8789319n%40mozilla.org.
