On Mon, Feb 5, 2018 at 4:33 PM, Alex Cohn via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> I logged two of those five certificates (https://crt.sh/?id=308392091 > and https://crt.sh/?id=307753186) to Argon, as part of a project to > log every certificate in the censys.io database to a public CT log. I > believe Censys found them by scanning all of IPv4 and grabbing the > default (i.e. no SNI) certificate presented on port 443. > > Given that this method will not uncover every certificate ever issued, > and that Certum isn't or wasn't checking for weak keys and isn't > logging certificates to CT, should Mozilla ask Certum to scan every > currently-valid certificate they have issued for weak keys? > > Thanks for pointing this out Alex. I would like to think that this is required by the incident report, but it's not specifically called out, so I added this request to the bug. Alex > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy