I logged two of those five certificates (https://crt.sh/?id=308392091 and https://crt.sh/?id=307753186) to Argon, as part of a project to log every certificate in the censys.io database to a public CT log. I believe Censys found them by scanning all of IPv4 and grabbing the default (i.e. no SNI) certificate presented on port 443.
Given that this method will not uncover every certificate ever issued, and that Certum isn't or wasn't checking for weak keys and isn't logging certificates to CT, should Mozilla ask Certum to scan every currently-valid certificate they have issued for weak keys? Alex On Mon, Feb 5, 2018 at 2:56 PM, Hanno Böck via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > On Mon, 5 Feb 2018 12:07:06 -0500 > Eric Mill via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > >> WoSign and StartCom are untrusted, but Certum is still trusted, right? > > Yes. > > In case that was unclear: The sentence "As we all know these are no > longer trusted by Mozilla, ..." was referring to the chapter above, > i.e. the three Startcom+Wosign certs, not the whole mail. > > -- > Hanno Böck > https://hboeck.de/ > > mail/jabber: ha...@hboeck.de > GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
