Is there a way to filter out the revoked and non-TLS/SMIME ICAs? -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Rob Stradling via dev-security-policy Sent: Wednesday, June 17, 2020 5:07 AM To: dev-security-policy <dev-security-policy@lists.mozilla.org> Subject: crt.sh: CA Issuers monitor (was Re: CA Issuer AIA URL content types)
Inspired by last month's email threads and Bugzilla issues relating to CA Issuers misconfigurations, I've just finished adding a new feature to crt.sh... https://crt.sh/ca-issuers Sadly, this highlights plenty of misconfigurations and other problems: PEM instead of DER, certs for the wrong CAs, wrong Content-Types, 404s, non-existent domain names, connection timeouts. I encourage CAs to take a look and see what they can fix. (Also, comments welcome :-) ). While I'm here, here's a quick reminder of some other crt.sh features relating to CA compliance issues: https://crt.sh/ocsp-responders https://crt.sh/test-websites https://crt.sh/mozilla-disclosures ________________________________ From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> on behalf of Ryan Sleevi via dev-security-policy <dev-security-policy@lists.mozilla.org> Sent: 22 May 2020 21:52 To: Hanno Böck <ha...@hboeck.de> Cc: r...@sleevi.com <r...@sleevi.com>; dev-security-policy@lists.mozilla.org <dev-security-policy@lists.mozilla.org> Subject: Re: CA Issuer AIA URL content types CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. I believe you've still implied, even in this reply, that this is something serious or important. I see no reason to believe that is the case, and I wasn't sure if there was anything more than a "Here's a SHOULD and here's people not doing it," which doesn't seem that useful to me. On Fri, May 22, 2020 at 2:52 PM Hanno Böck <ha...@hboeck.de> wrote: > Hi, > > On Fri, 22 May 2020 09:55:22 -0400 > Ryan Sleevi via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > > Could you please cite more specifically what you believe is wrong > > here? This is only a SHOULD level requirement. > > I think I said that more or less: > > > > I'm not going to file individual reports for the CAs. Based on > > > previous threads I don't believe these are strictly speaking rule > > > violations. > > I'm not claiming this is a severe issue or anything people should be > worried about. > It's merely that while analyzing some stuff I observed that AIA fields > aren't as reliable as one might want (see also previous mails) and the > mime types are one more observation I made where things aren't what > they probably SHOULD be. > I thought I'd share this observation with the community. > > -- > Hanno Böck > https://hboeck.de/ > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
