On Fri, 16 Jun 2017 10:29:45 -0700 Tavis Ormandy via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> On Fri, Jun 16, 2017 at 2:00 AM, Rob Stradling > <rob.stradl...@comodo.com> wrote: > > > On 16/06/17 06:05, Tavis Ormandy via dev-security-policy wrote: > > > >> Hello, I was crawling the pkcs7 blobs in public pdf files and > >> found some intermediate certificates that don't appear in crt.sh. > >> > >> I forwarded them to Rob, I don't know if this is useful to anyone > >> else, but > >> they're available here. > >> > >> https://lock.cmpxchg8b.com/intermediates.zip > >> > >> Tavis. > >> > > > > Thanks Tavis. I've just submitted all of these intermediates to > > some CT logs. > > > > This list just grew considerably... > > https://crt.sh/mozilla-disclosures#undisclosed > > > > (I have a larger collection if anyone wants them, but many have > > unknown > >> critical extensions, or are name or usage constrained, etc) > >> > > > > Yes please. :-) > > > > > Is there an easy way to check which certificates from my set you're > missing? (I'm not a PKI guy, I was collecting unusual extension OIDs > for fuzzing). > > I collected these from public sources, so can just give you my whole > set if you already have tools for importing them and don't mind > processing them, I have around ~8M (mostly leaf) certificates, the > set with isCa will be much smaller. Please do post the whole set. I suspect there are several people on this list (including myself and Rob) who have the tools and experience to process large sets of certificates and post them to public Certificate Transparency logs (whence they will be fed into crt.sh). It would be useful to include the leaf certificates as well, to catch CAs which are engaging in bad practices such as signing non-SSL certs with SHA-1 under an intermediate that is capable of issuing SSL certificates. Thanks a bunch for this! Regards, Andrew _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
