Lee, Different parts of Mozilla does monitor CT, both for internal IT purposes, as well as research into the WebPKI. It seems like crt.sh does a great job already of handling cablint/x509lint of newly-observed certs.
What are you looking for Mozilla to provide here that isn't already being accomplished by the community (e.g., crt.sh, censys.io, and others)? Thanks, J.C. On 8/9/17 9:23 PM, Lee via dev-security-policy wrote: > What's it going to take for mozilla to set up near real-time > monitoring/auditing of certs showing up in ct logs? > > Lee > > On 8/9/17, Alex Gaynor via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: >> (Whoops, accidentally originally CC'd to m.d.s originally! Original mail >> was to IdenTrust) >> >> Hi, >> >> The following certificates appear to be misissued: >> >> https://crt.sh/?id=77893170&opt=cablint >> https://crt.sh/?id=77947625&opt=cablint >> https://crt.sh/?id=78102129&opt=cablint >> https://crt.sh/?id=92235995&opt=cablint >> https://crt.sh/?id=92235998&opt=cablint >> >> All of these certificates have a pathLenConstraint value with CA:FALSE, >> this violates 4.2.1.9 of RFC 5280: CAs MUST NOT include the >> pathLenConstraint field unless the cA boolean is asserted and the key usage >> extension asserts the keyCertSign bit. >> >> Alex >> >> -- >> "I disapprove of what you say, but I will defend to the death your right to >> say it." -- Evelyn Beatrice Hall (summarizing Voltaire) >> "The people's good is the highest law." -- Cicero >> GPG Key fingerprint: D1B3 ADC0 E023 8CA6 >> >> >> >> >> -- >> "I disapprove of what you say, but I will defend to the death your right to >> say it." -- Evelyn Beatrice Hall (summarizing Voltaire) >> "The people's good is the highest law." -- Cicero >> GPG Key fingerprint: D1B3 ADC0 E023 8CA6 >> _______________________________________________ >> dev-security-policy mailing list >> dev-security-policy@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-security-policy >> > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
