On 23/06/2017 14:59, Rob Stradling wrote:
On 22/06/17 10:51, Rob Stradling via dev-security-policy wrote:
On 19/06/17 20:41, Tavis Ormandy via dev-security-policy wrote:
<snip>
Is this useful? if not, what key usage is interesting?
https://lock.cmpxchg8b.com/ServerOrAny.zip
Thanks for this, Tavis. I pointed my certscraper
(https://github.com/robstradling/certscraper) at this URL a couple of
days ago. This submitted many of the certs to the Dodo and Rocketeer
logs.
However, it didn't manage to build chains for all of them. I haven't
yet had a chance to investigate why.
There are ~130 CA certificates in
https://lock.cmpxchg8b.com/ServerOrAny.zip that I've not yet been able
to submit to any CT logs.
Reasons:
- Some are only trusted by the old Adobe CDS program.
- Some are only trusted for Microsoft Kernel Mode Code Signing.
- Some are very old roots that are no longer trusted.
- Some are corrupted.
- Some seem to be from private PKIs.
The SubCAs for Windows 5.01 (XP) to 6.03 (Eight point One) kernel mode
signing are all 10 year cross-certs from a dedicated single-purpose
Microsoft root CA to well known roots from companies like Symantec and
GlobalSign.
They can (or could) be downloaded from a Microsoft support page, I know
of 6 that expired in 2016, 19 that will expire in 2021 and 4 that will
expire in 2023.
The issuing 20 year root is
http://www.microsoft.com/pki/certs/MicrosoftCodeVerifRoot.crt
CN=Microsoft Code Verification Root, O=Microsoft Corporation, L=Redmond,
ST=Washington, C=US
SHA1 Fingerprint=8F:BE:4D:07:0E:F8:AB:1B:CC:AF:2A:9D:5C:CA:E7:28:2A:2C:66:B3
The relevant root store contains *only* this root, so the issuing (and
possible revocation) of the SubCA/crosscerts acts as a dedicated root
program more restrictive than the normal Microsoft root program. Chain
validation is often done during boot before TCP/IP is up and running
(even the network drivers are signed with this), so there is no AIA or
OCSP available. Pre-download CRLs could be checked, but I don't know if
they do that.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy