Am Mittwoch, 18. Oktober 2017 11:15:03 UTC+2 schrieb Rob Stradling: > I've completed a full scan of the crt.sh DB, which found 171 certs with > ROCA fingerprints. > > The list is at https://misissued.com/batch/28/ > > Many of these are Qualified/EUTL certs rather than anything to do with > the WebPKI. Only about half of them chain to roots that are trusted by NSS. > > On 17/10/17 14:49, Rob Stradling via dev-security-policy wrote: > > On 16/10/17 23:15, Jakob Bohm via dev-security-policy wrote: > > <snip> > >> Unfortunately, as of right now, their github repository still doesn't > >> include the promised C/C++ implementation, > > > > Hi Jakob. Today I ended up rewriting the ROCA fingerprint checker in C > > (using OpenSSL BIGNUM calls) to get it working in crt.sh. In case it's > > useful, here's a Gist: > > > > https://gist.github.com/robstradling/f525d423c79690b72e650e2ad38a161d > > > > Build it with -lcrypto and pipe a DER cert to STDIN > > -- > Rob Stradling > Senior Research & Development Scientist > COMODO - Creating Trust Online
Hi Rob, all, we are regarding this as an incident although all D-Trust related certificates are Qualified/EUTL certs governed by national German law as noted by Rob and are chaining up to roots that are trusted by NSS. Nevertheless an incident report will be provided tomorrow (2017/10/19). Kim Nguyen, D-Trust _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
