I definitely consider increased visibility into the vast iceberg that is the public PKI to be a good thing!
What set of intermediates are you using? If it's reasonably complete, I doubt we'll do any better than you, though maybe someone here has a particularly clever technique for processing these. As these are all from PDFs, an interesting follow-up project for someone might be to look at S/MIME signatures sent to public mailing lists and seeing what interesting certificates can be found there. Alex On Thu, Jun 22, 2017 at 10:45 AM, Tavis Ormandy <tav...@google.com> wrote: > I think you're right, it was probably me submitting my corpus - I hope > that's a good thing! :-) > > I only submitted the ones I could verify, would you be interested in the > others? Many are clearly not interesting, but others seem like they may be > interesting if I had an intermediate I haven't seen. > > Tavis. > > > On Thu, Jun 22, 2017 at 6:15 AM, Alex Gaynor <agay...@mozilla.com> wrote: > >> One of my hobbies is keeping track of publicly trusted (by any of the >> major root programs) CAs, for which there are no logged certificates. >> There's over 1000 of these. In the last day, presumably as a result of >> these efforts, 50-100 CAs were removed from the list. >> >> Cheers, >> Alex >> >> On Thu, Jun 22, 2017 at 5:51 AM, Rob Stradling <rob.stradl...@comodo.com> >> wrote: >> >>> On 19/06/17 20:41, Tavis Ormandy via dev-security-policy wrote: >>> >>>> Thanks Alex, I took a look, it looks like the check pings crt.sh - is >>>> doing >>>> that for a large number of certificates acceptable Rob? >>>> >>> >>> Hi Tavis. Yes, Alex's tool uses https://crt.sh/gen-add-chain to find a >>> suitable cert chain and build the JSON that can then be submitted to a >>> log's /ct/v1/add-chain. It should be fine to do that for a large number of >>> certs. crt.sh exists to be used. ;-) >>> >>> I made a smaller set, the certificates that have 'SSL server: Yes' or >>>> 'Any >>>> Purpose : Yes', there were only a few thousand that verified, so I just >>>> checked those and found 551 not in crt.sh. >>>> >>>> (The *vast* majority are code signing certificates, many are individual >>>> apple developer certificates) >>>> >>>> Is this useful? if not, what key usage is interesting? >>>> >>>> https://lock.cmpxchg8b.com/ServerOrAny.zip >>>> >>> >>> Thanks for this, Tavis. I pointed my certscraper ( >>> https://github.com/robstradling/certscraper) at this URL a couple of >>> days ago. This submitted many of the certs to the Dodo and Rocketeer logs. >>> >>> However, it didn't manage to build chains for all of them. I haven't >>> yet had a chance to investigate why. >>> >>> >>> Tavis. >>>> >>>> On Mon, Jun 19, 2017 at 7:03 AM, Alex Gaynor <agay...@mozilla.com> >>>> wrote: >>>> >>>> If you're interested in playing around with submitting them yourself, or >>>>> checking if they're already submitted, I've got some random tools for >>>>> working with CT: https://github.com/alex/ct-tools >>>>> >>>>> Specifically ct-tools check <cert1.pem, cert2.pem, ...> will get what >>>>> you >>>>> want. It's all serial, so for 8M certs you probably want to Bring Your >>>>> Own >>>>> Parallelism (I should fix this...) >>>>> >>>>> Alex >>>>> >>>>> On Mon, Jun 19, 2017 at 6:51 AM, Rob Stradling via dev-security-policy >>>>> < >>>>> dev-security-policy@lists.mozilla.org> wrote: >>>>> >>>>> On 16/06/17 20:11, Andrew Ayer via dev-security-policy wrote: >>>>>> >>>>>> On Fri, 16 Jun 2017 10:29:45 -0700 Tavis Ormandy wrote: >>>>>>> >>>>>>> <snip> >>>>>> >>>>>> Is there an easy way to check which certificates from my set you're >>>>>>> >>>>>>>> missing? (I'm not a PKI guy, I was collecting unusual extension OIDs >>>>>>>> for fuzzing). >>>>>>>> >>>>>>>> I collected these from public sources, so can just give you my whole >>>>>>>> set if you already have tools for importing them and don't mind >>>>>>>> processing them, I have around ~8M (mostly leaf) certificates, the >>>>>>>> set with isCa will be much smaller. >>>>>>>> >>>>>>>> >>>>>>> Please do post the whole set. I suspect there are several people on >>>>>>> this list (including myself and Rob) who have the tools and >>>>>>> experience >>>>>>> to process large sets of certificates and post them to public >>>>>>> Certificate Transparency logs (whence they will be fed into crt.sh). >>>>>>> >>>>>>> It would be useful to include the leaf certificates as well, to catch >>>>>>> CAs which are engaging in bad practices such as signing non-SSL certs >>>>>>> with SHA-1 under an intermediate that is capable of issuing SSL >>>>>>> certificates. >>>>>>> >>>>>>> Thanks a bunch for this! >>>>>>> >>>>>>> >>>>>> +1 >>>>>> >>>>>> Tavis, please do post the whole set. And thanks! >>>>>> >>>>> >>> -- >>> Rob Stradling >>> Senior Research & Development Scientist >>> COMODO - Creating Trust Online >>> >> >> > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
