I searched through the list of certificates that Rob provided and didn't find any new issues (no valid certificates and none that had been issues since Jan 1, 2017 and not previously disclosed.
I've requested an incident report from QuoVadis for the one new certificate that Hanno identified via https://bugzilla.mozilla.org/show_bug.cgi?id=1472052 - Wayne On Mon, Jun 18, 2018 at 6:57 AM Alex Gaynor via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Sorry -- digging into that 500 was on my plate, but there was a logging bug > on errors... and then some poor docs for the framework I'm using... and > before you know it, the yak stack was piled high. I'll cycle around to that > again this evening. > > Alex > > On Mon, Jun 18, 2018 at 9:53 AM Rob Stradling via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > On 17/06/18 21:09, Daniel Cater via dev-security-policy wrote: > > > On Monday, 14 May 2018 15:25:43 UTC+1, Rob Stradling > > >> I'm currently running the check against all of the certs on the crt.sh > > >> DB. I'll report back once this has completed. > > > > > > Hi Rob, > > > > > > Did your checks find anything else in the end? > > > > Hi Daniel. Thanks for the reminder. :-) > > > > I found a total of 1,589 certs on the crt.sh DB with Debian weak keys, > > and I did intend to publish a report. I figured that creating a new > > batch on misissued.com would be the best way to present the data, but > > that gives me an HTTP 500 response whenever I try to submit the list of > > crt.sh IDs. > > > > Until misissued.com lets me submit the list, you can find the list of > > affected certs in a table on the crt.sh DB called "has_debian_weak_key". > > > > -- > > Rob Stradling > > Senior Research & Development Scientist > > Email: r...@comodoca.com > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
