I think you're right, it was probably me submitting my corpus - I hope that's a good thing! :-)
I only submitted the ones I could verify, would you be interested in the others? Many are clearly not interesting, but others seem like they may be interesting if I had an intermediate I haven't seen. Tavis. On Thu, Jun 22, 2017 at 6:15 AM, Alex Gaynor <agay...@mozilla.com> wrote: > One of my hobbies is keeping track of publicly trusted (by any of the > major root programs) CAs, for which there are no logged certificates. > There's over 1000 of these. In the last day, presumably as a result of > these efforts, 50-100 CAs were removed from the list. > > Cheers, > Alex > > On Thu, Jun 22, 2017 at 5:51 AM, Rob Stradling <rob.stradl...@comodo.com> > wrote: > >> On 19/06/17 20:41, Tavis Ormandy via dev-security-policy wrote: >> >>> Thanks Alex, I took a look, it looks like the check pings crt.sh - is >>> doing >>> that for a large number of certificates acceptable Rob? >>> >> >> Hi Tavis. Yes, Alex's tool uses https://crt.sh/gen-add-chain to find a >> suitable cert chain and build the JSON that can then be submitted to a >> log's /ct/v1/add-chain. It should be fine to do that for a large number of >> certs. crt.sh exists to be used. ;-) >> >> I made a smaller set, the certificates that have 'SSL server: Yes' or 'Any >>> Purpose : Yes', there were only a few thousand that verified, so I just >>> checked those and found 551 not in crt.sh. >>> >>> (The *vast* majority are code signing certificates, many are individual >>> apple developer certificates) >>> >>> Is this useful? if not, what key usage is interesting? >>> >>> https://lock.cmpxchg8b.com/ServerOrAny.zip >>> >> >> Thanks for this, Tavis. I pointed my certscraper ( >> https://github.com/robstradling/certscraper) at this URL a couple of >> days ago. This submitted many of the certs to the Dodo and Rocketeer logs. >> >> However, it didn't manage to build chains for all of them. I haven't yet >> had a chance to investigate why. >> >> >> Tavis. >>> >>> On Mon, Jun 19, 2017 at 7:03 AM, Alex Gaynor <agay...@mozilla.com> >>> wrote: >>> >>> If you're interested in playing around with submitting them yourself, or >>>> checking if they're already submitted, I've got some random tools for >>>> working with CT: https://github.com/alex/ct-tools >>>> >>>> Specifically ct-tools check <cert1.pem, cert2.pem, ...> will get what >>>> you >>>> want. It's all serial, so for 8M certs you probably want to Bring Your >>>> Own >>>> Parallelism (I should fix this...) >>>> >>>> Alex >>>> >>>> On Mon, Jun 19, 2017 at 6:51 AM, Rob Stradling via dev-security-policy < >>>> dev-security-policy@lists.mozilla.org> wrote: >>>> >>>> On 16/06/17 20:11, Andrew Ayer via dev-security-policy wrote: >>>>> >>>>> On Fri, 16 Jun 2017 10:29:45 -0700 Tavis Ormandy wrote: >>>>>> >>>>>> <snip> >>>>> >>>>> Is there an easy way to check which certificates from my set you're >>>>>> >>>>>>> missing? (I'm not a PKI guy, I was collecting unusual extension OIDs >>>>>>> for fuzzing). >>>>>>> >>>>>>> I collected these from public sources, so can just give you my whole >>>>>>> set if you already have tools for importing them and don't mind >>>>>>> processing them, I have around ~8M (mostly leaf) certificates, the >>>>>>> set with isCa will be much smaller. >>>>>>> >>>>>>> >>>>>> Please do post the whole set. I suspect there are several people on >>>>>> this list (including myself and Rob) who have the tools and experience >>>>>> to process large sets of certificates and post them to public >>>>>> Certificate Transparency logs (whence they will be fed into crt.sh). >>>>>> >>>>>> It would be useful to include the leaf certificates as well, to catch >>>>>> CAs which are engaging in bad practices such as signing non-SSL certs >>>>>> with SHA-1 under an intermediate that is capable of issuing SSL >>>>>> certificates. >>>>>> >>>>>> Thanks a bunch for this! >>>>>> >>>>>> >>>>> +1 >>>>> >>>>> Tavis, please do post the whole set. And thanks! >>>>> >>>> >> -- >> Rob Stradling >> Senior Research & Development Scientist >> COMODO - Creating Trust Online >> > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
