> On Jun 7, 2017, at 21:56, Matthew Hardeman via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > On Wednesday, June 7, 2017 at 6:45:25 PM UTC-5, Jonathan Rudenberg wrote: > >> Yet another batch of undisclosed intermediates has shown up in CT: >> >> - >> https://crt.sh/?sha256=f01c1aca392882af152e9f01ecccd0afddd8aa35bf895b003198b1e8c752ddb8 >> - >> https://crt.sh/?sha256=29d8ac29f9007a6ad7923fdade32ef814ba3c6751551cf765416e8dbd8ff7619 >> - >> https://crt.sh/?sha256=c02739e63880368967bb27fedf0a5749aeaf62a2328c09a7a33e876b4f27adca >> - >> https://crt.sh/?sha256=b82210cde9ddea0e14be29af647e4b32f96ed2a9ef1aa5baa9cc64b38b6c01ca >> - >> https://crt.sh/?sha256=8e8c6ebf77dc73db3e38e93f4803e62b6b5933beb51ee4152f68d7aa14426b31 >> - >> https://crt.sh/?sha256=48db8801874e0e36b1b864603b31648b74e2322a8f9e4967a8f54bd1b8f594de >> - >> https://crt.sh/?sha256=1bc400808ab07b775c811c631d75ab38fe7be7df6967f5b384bfe8dc9ef807c6 >> - >> https://crt.sh/?sha256=f1f072c64d69e573725533e83a601bb8b068f6699e59ba70eda2aecb28e06bfb > > crt.sh seems to be unavailable / lagged at the moment, but before it went > down, I queried several of these. MOST of those I queried seemed to be > self-issued / self-signed roots that I'm not sure are in the broader trust > stores directly.
Yes, they are self-signed, however they share a SPKI/Subject with one or more other certificates which make it possible to build paths to roots trusted by Mozilla. Censys has a great visualization of this: - https://censys.io/certificates/f01c1aca392882af152e9f01ecccd0afddd8aa35bf895b003198b1e8c752ddb8/validation - https://censys.io/certificates/29d8ac29f9007a6ad7923fdade32ef814ba3c6751551cf765416e8dbd8ff7619/validation - https://censys.io/certificates/c02739e63880368967bb27fedf0a5749aeaf62a2328c09a7a33e876b4f27adca/validation - https://censys.io/certificates/c02739e63880368967bb27fedf0a5749aeaf62a2328c09a7a33e876b4f27adca/validation - https://censys.io/certificates/b82210cde9ddea0e14be29af647e4b32f96ed2a9ef1aa5baa9cc64b38b6c01ca/validation - https://censys.io/certificates/8e8c6ebf77dc73db3e38e93f4803e62b6b5933beb51ee4152f68d7aa14426b31/validation - https://censys.io/certificates/1bc400808ab07b775c811c631d75ab38fe7be7df6967f5b384bfe8dc9ef807c6/validation _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
