I also agree.As I said before, that's a non-trusted certificate. It was issued by a test CA that does /not/ chain to a public root.
Il 01/10/2018 16:04, Rob Stradling ha scritto:
On 01/10/2018 15:02, Doug Beattie via dev-security-policy wrote:Hi Adriano,First, I didn't mean to call you out specifically, but you happened to be first alphabetically, sorry. I find this link very helpful to list all CAswith errors or warnings: https://crt.sh/?cablint=1+weekSecond, How do you define a "test CA"? I thought that any CA that chains toa public root was by definition not a test CA,I agree with that.and since the issued cert was in CT logs, I assumed that your root was publicly trusted. Maybe I'm mistaken on one of these pointsActually, some non-publicly-trusted roots are accepted by some of the logs that crt.sh monitors.Doug -----Original Message-----From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> OnBehalf Of Adriano Santoni via dev-security-policy Sent: Monday, October 1, 2018 9:49 AM To: dev-security-policy@lists.mozilla.org Subject: Re: Increasing number of Errors found in crt.sh Thank you Rob!If I am not mistaken, it seems to me that we have just 1 certificate in thatlist, and it's a non-trusted certificate (it was issued by a test CA). Il 01/10/2018 15:43, Rob Stradling via dev-security-policy ha scritto:On 01/10/2018 14:38, Adriano Santoni via dev-security-policy wrote:Is it possible to filter the list https://crt.sh/?cablint=issues based on the issuing CA ?Yes. First, visit this page: https://crt.sh/?cablint=1+week Next, click on the link in the "Issuer CN, OU or O" column that corresponds to the issuing CA you're interested in.Il 01/10/2018 15:26, Doug Beattie via dev-security-policy ha scritto:Hi Wayne and all, I've been noticing an increasing number of CA errors, https://crt.sh/?cablint=issues Is anyone monitoring this list and askingfor misissuance reports for those that are not compliant? There are 15 different errors and around 300 individual errors (excluding the SHA-1"false" errors). Some CAs are issuing certs to CNs of localhost, are including RFC822 SANs, not including OCSP links and many more. - Actalis, - Digicert, - Microsoft, -There are also some warning checks that should actually be errors likeunderscores in CNs or SANs. Doug
smime.p7s
Description: Firma crittografica S/MIME
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy