On 06/02/16 21:14, Rob Stradling wrote:
On 05/02/16 21:43, Charles Reiss wrote:
On 02/05/16 20:13, martin.suc...@gmail.com wrote:
Here's a list of all certificates with SHA-1 signatures and notBefore
>= 2016-01-01, logged in the Certificate Transparency Log:
https://crt.sh/?cablint=211&minNotBefore=2016-01-01
This page can now show a chronological view. Click "Ungroup by Issuer"
and then sort by the notBefore date or by the date each cert was first
logged.
The chronological view should work for any cablint issue (not just SHA-1
certs issued after 2015).
<snip>
Curiously, the similar COMODO CA 'COMODO Domain Validation Legacy Server
CA 2' (chains to retired root 'UTN - DATACorp SGC') appears to be
exempted from listing? (example cert:
https://crt.sh/?id=12584167&opt=cablint)
On the crt.sh database I'd marked "COMODO Domain Validation Legacy
Server CA 2" as out-of-scope for cablint checks, on the grounds that the
root (UTN - DATACorp SGC) has been (or is waiting to be) pulled from
root programs that demand BR compliance.
However, I'm going to add it back in-scope. We (Comodo) currently
intend that new certs issued under "UTN - DATACorp SGC" will adhere to
the BRs in every way except for SHA-1. It would be useful for crt.sh /
cablint to spot any unintended issues.
I've also added an "excludeCAs" parameter, which takes a comma-separated
list of crt.sh CA IDs.
To exclude SHA-1 certs issued by Symantec and Comodo from previously
trusted roots, try this:
https://crt.sh/?cablint=211&dir=^&sort=1&minNotBefore=2016-01-01&excludeCAs=7198,11000&group=none
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
