Rob,
So far they are - <https://crt.sh/?sha1=e12ba5aeb7613a72cc9652f1673017a5d8fc7479> E12BA5AEB7613A72CC9652F1673017A5D8FC7479 - technically constrained warning <https://crt.sh/?sha1=8c6c7a20b48ef3bcb0fcb203008773846611486a> 8C6C7A20B48EF3BCB0FCB203008773846611486A - technically constrained warning <https://crt.sh/?sha1=69bdbd7760f0fc58021c290c39243351914dadc5> 69BDBD7760F0FC58021C290C39243351914DADC5 - technically constrained warning <https://crt.sh/?sha1=107cce8b25af9b6cfabada125967aed4ef5bafe2> 107CCE8B25AF9B6CFABADA125967AED4EF5BAFE2 - technically constrained warning <https://crt.sh/?sha1=d92b8d4859538692e435ad78dd876b03601eae96> D92B8D4859538692E435AD78DD876B03601EAE96 - PEM too long <https://crt.sh/?sha1=3948a71e4b39768a016fa3b13175e41197f8bf28> 3948A71E4B39768A016FA3B13175E41197F8BF28 - PEM too long And then the ones that aren't trusted, or shouldn't be trusted, were all of the KBC Group CAs, because certificate that issued those (SHA-1 Fingerprint CF:AA:D9:D6:31:4D:33:9F:A6:07:72:EB:61:FA:B5:F8:FD:DC:56:10; SHA-256 Fingerprint AE:F2:6B:BB:CB:B7:07:06:76:2C:8B:E9:30:C4:1F:91:3D:D0:E2:34:0A:78:9E:8B:33:F 1:27:FB:6D:27:92:F0) was revoked on 1 July 2015. (I don't know why NSS can't just use the CRLs that CAs issue.) I hadn't entered it previously into SalesForce or in OneCRL because the revocation had happened so long ago, but yesterday I went and did that. Cheers, Ben -----Original Message----- From: Rob Stradling [mailto:rob.stradl...@comodo.com] Sent: Monday, June 20, 2016 4:17 PM To: Ben Wilson <ben.wil...@digicert.com> Cc: Peter Bowen <pzbo...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Intermediate certificate disclosure deadline in 2 weeks On 20/06/16 21:15, Ben Wilson wrote: > When I try to upload some of these listed as "Unconstrained > id-kp-serverAuth Trust" undisclosed, I get a warning that says, "This > certificate is considered to be technically-constrained as per Mozilla > policy, so it does not need to be added to the CA Community in > Salesforce. All data that you enter into Salesforce will be publicly available, so please make sure you do > not enter sensitive information that should not be published. ... I > understand, proceed anyways." Ben, would you mind telling me which certs you tried to upload? I'd like to understand why there's a discrepancy. > I also noticed that some on the list are not publicly trusted because > the root is not in the trust store or is not signed by a root that is > in the trust store. Which ones? Thanks. > Ben > > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+ben=digicert....@lists.mozilla.org > ] On Behalf Of Peter Bowen > Sent: Monday, June 20, 2016 11:59 AM > To: Rob Stradling < <mailto:rob.stradl...@comodo.com> rob.stradl...@comodo.com> > Cc: <mailto:mozilla-dev-security-pol...@lists.mozilla.org> mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Intermediate certificate disclosure deadline in 2 weeks > > On Fri, Jun 17, 2016 at 4:12 AM, Rob Stradling > < <mailto:rob.stradl...@comodo.com> rob.stradl...@comodo.com> > wrote: >> Friendly reminder to all CA representatives: >> >> Don't forget the June 30th deadline! And don't leave it until the >> last minute if you have lots of intermediate certificates to disclose! >> >> <https://crt.sh/mozilla-disclosures> https://crt.sh/mozilla-disclosures >> ...lists (under "Unconstrained id-kp-serverAuth Trust: Disclosure is >> required!") the (many!) qualifying intermediate certificates that are >> known to CT and that have not yet been disclosed to Salesforce. > > I found one bug in this list -- it is including self-signed > certificates, which are not subject to disclosure, as they clearly > don't chain back to a root in the Mozilla trust store. > > Thanks, > Peter > _______________________________________________ > dev-security-policy mailing list > <mailto:dev-security-policy@lists.mozilla.org> dev-security-policy@lists.mozilla.org > <https://lists.mozilla.org/listinfo/dev-security-policy> https://lists.mozilla.org/listinfo/dev-security-policy > > > > _______________________________________________ > dev-security-policy mailing list > <mailto:dev-security-policy@lists.mozilla.org> dev-security-policy@lists.mozilla.org > <https://lists.mozilla.org/listinfo/dev-security-policy> https://lists.mozilla.org/listinfo/dev-security-policy > -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online Office Tel: +44.(0)1274.730505 Office Fax: +44.(0)1274.730909 <http://www.comodo.com> www.comodo.com COMODO CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by COMODO for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy