Joseph R. Goydish IITRACK-B — NASA JPL TLS Certificate Chain Misconfiguration
Track: B (cybersecurity / technical disclosure) Domain separation: This artifact contains Track B material only. Track A regulatory matters are documented in their own folders. Do not mix.
Role classification: Forensic-observer (passive TLS chain inspection of a public endpoint; no exploitation, no auth bypass, no payload).
Status: Outbound disclosure to NASA SOC. No inbound agency reply on file as of this README's commit date — case remains outbound-only until/unless a SOC ticket or analyst response is received.
Case Summary (one paragraph, non-exploit)
On 2025-04-22, the user notified soc@nasa.gov of a TLS certificate-chain serving misconfiguration on the public host webhosting-external.jpl.nasa.gov. The host presented a server certificate chained to an Entrust intermediate while the chain terminated at an SSL.com root — a chain assembly inconsistency that can cause client-side validation failures and trust-store anomalies in strict-validation environments. The report describes the observable chain only; no exploitation, no client-side bypass, no payload is included.
Artifacts (this folder)
| # | File | SHA-256 (short) | Type | Notes |
|---|---|---|---|---|
| 1 | TLS-Certificate-Chain-Misconfiguration-on-webhosting-external.jpl.nasa.gov-2025-04-22T16_04_11-07_00-1-5.eml |
c3ededb6e861… |
Outbound .eml |
From josephgoyd@proton.me → soc@nasa.gov, 2025-04-22 23:04:11 UTC |
| 2 | NASA-Certificate-Misconfig-4.pdf |
c8492464bed9… |
PDF render | Companion render of the chain observation |
Full SHA-256 values are recorded in the master INTAKE-LEDGER.md (entries #22–#23).
Anchor tier
🟡 Layer-2 — Topic-frame anchor (outbound only).
- The outbound
.emlis a Proton-origin message; it carries Proton's own DKIM but does not contain a NASA-side acknowledgement. - Until SOC issues a ticket number or a human reply, this case is treated as delivery-evidence only, not as agency acknowledgement.
- Standing disclaimer applies even when an acknowledgement arrives: receipt by SOC does not constitute adjudication of the underlying chain-misconfiguration claim.
What this artifact does NOT claim
- It does not claim a vulnerability with measurable impact (no CVSS, no CWE assignment by NASA).
- It does not claim exploitation, auth bypass, or data exposure.
- It does not claim that the chain mismatch constitutes a CVE-class finding.
- It does not assert that NASA has confirmed, triaged, or accepted the report.
The report is documented as an observability/serving-hygiene issue submitted in good faith to the appropriate vendor SOC channel.
Validation steps (run locally; do not run from build environment)
# 1. Hash both files
sha256sum evidence/TLS-Certificate-Chain-Misconfiguration-on-webhosting-external.jpl.nasa.gov-2025-04-22T16_04_11-07_00-1-5.eml
sha256sum evidence/NASA-Certificate-Misconfig-4.pdf
# 2. OpenTimestamps anchor (run locally with your own ots client)
ots stamp evidence/TLS-Certificate-Chain-Misconfiguration-on-webhosting-external.jpl.nasa.gov-2025-04-22T16_04_11-07_00-1-5.eml
ots stamp evidence/NASA-Certificate-Misconfig-4.pdf
# 3. Verify Proton DKIM on outbound message
# (use your local DKIM-verify tool; do not transmit headers to third-party services)
Open follow-ups
- Resend or escalate to NASA OIG only if SOC closes without response after 90 days.
- If/when SOC replies, capture the inbound
.emlwith full headers and re-tier this case to 🟢 Layer-1. - Do not republish exploitation detail — only the chain-serving observation.
This README is part of the JGoyd Verifiable Evidence System. Strict Track A / Track B domain separation enforced.