FYI, I'm submitting these right now, it seems to be working, here's an example
https://crt.sh/?q=1eb6ec6e6c45663f3bb1b2f140961bbf3352fc8741ef835146d3a8a2616ee28f Tavis. On Mon, Jun 19, 2017 at 12:56 PM, Tavis Ormandy <tav...@google.com> wrote: > I noticed there's an apparently valid facebook.com certificate in there ( > 61b1526f9d75775c3d533382f36527c9.pem). This is surprising to me, that > seems like it would be in CT already - so maybe I don't know what I'm doing. > > Let me know if I've misunderstood something. > > Tavis. > > > On Mon, Jun 19, 2017 at 12:41 PM, Tavis Ormandy <tav...@google.com> wrote: > >> Thanks Alex, I took a look, it looks like the check pings crt.sh - is >> doing that for a large number of certificates acceptable Rob? >> >> I made a smaller set, the certificates that have 'SSL server: Yes' or >> 'Any Purpose : Yes', there were only a few thousand that verified, so I >> just checked those and found 551 not in crt.sh. >> >> (The *vast* majority are code signing certificates, many are individual >> apple developer certificates) >> >> Is this useful? if not, what key usage is interesting? >> >> https://lock.cmpxchg8b.com/ServerOrAny.zip >> >> Tavis. >> >> On Mon, Jun 19, 2017 at 7:03 AM, Alex Gaynor <agay...@mozilla.com> wrote: >> >>> If you're interested in playing around with submitting them yourself, or >>> checking if they're already submitted, I've got some random tools for >>> working with CT: https://github.com/alex/ct-tools >>> >>> Specifically ct-tools check <cert1.pem, cert2.pem, ...> will get what >>> you want. It's all serial, so for 8M certs you probably want to Bring Your >>> Own Parallelism (I should fix this...) >>> >>> Alex >>> >>> On Mon, Jun 19, 2017 at 6:51 AM, Rob Stradling via dev-security-policy < >>> dev-security-policy@lists.mozilla.org> wrote: >>> >>>> On 16/06/17 20:11, Andrew Ayer via dev-security-policy wrote: >>>> >>>>> On Fri, 16 Jun 2017 10:29:45 -0700 Tavis Ormandy wrote: >>>>> >>>> <snip> >>>> >>>>> Is there an easy way to check which certificates from my set you're >>>>>> missing? (I'm not a PKI guy, I was collecting unusual extension OIDs >>>>>> for fuzzing). >>>>>> >>>>>> I collected these from public sources, so can just give you my whole >>>>>> set if you already have tools for importing them and don't mind >>>>>> processing them, I have around ~8M (mostly leaf) certificates, the >>>>>> set with isCa will be much smaller. >>>>>> >>>>> >>>>> Please do post the whole set. I suspect there are several people on >>>>> this list (including myself and Rob) who have the tools and experience >>>>> to process large sets of certificates and post them to public >>>>> Certificate Transparency logs (whence they will be fed into crt.sh). >>>>> >>>>> It would be useful to include the leaf certificates as well, to catch >>>>> CAs which are engaging in bad practices such as signing non-SSL certs >>>>> with SHA-1 under an intermediate that is capable of issuing SSL >>>>> certificates. >>>>> >>>>> Thanks a bunch for this! >>>>> >>>> >>>> +1 >>>> >>>> Tavis, please do post the whole set. And thanks! >>>> >>>> -- >>>> Rob Stradling >>>> Senior Research & Development Scientist >>>> COMODO - Creating Trust Online >>>> _______________________________________________ >>>> dev-security-policy mailing list >>>> dev-security-policy@lists.mozilla.org >>>> https://lists.mozilla.org/listinfo/dev-security-policy >>>> >>> >>> >> > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
