Re: Increasing number of Errors found in crt.sh

Mon, 01 Oct 2018 07:10:00 -0700 

I also agree.
As I said before, that's a non-trusted certificate. It was issued by a test CA that does /not/ chain to a public root. 


Il 01/10/2018 16:04, Rob Stradling ha scritto:

On 01/10/2018 15:02, Doug Beattie via dev-security-policy wrote:

Hi Adriano,


First, I didn't mean to call you out specifically, but you happened 
to be
first alphabetically, sorry.  I find this link very helpful to list 
all CAs

with errors or warnings: https://crt.sh/?cablint=1+week


Second, How do you define a "test CA"?  I thought that any CA that 
chains to

a public root was by definition not a test CA,


I agree with that.


and since the issued cert was
in CT logs, I assumed that your root was publicly trusted. Maybe I'm
mistaken on one of these points



Actually, some non-publicly-trusted roots are accepted by some of the 
logs that crt.sh monitors.



Doug

-----Original Message-----

From: dev-security-policy 
<dev-security-policy-boun...@lists.mozilla.org> On

Behalf Of Adriano Santoni via dev-security-policy
Sent: Monday, October 1, 2018 9:49 AM
To: dev-security-policy@lists.mozilla.org
Subject: Re: Increasing number of Errors found in crt.sh

Thank you Rob!


If I am not mistaken, it seems to me that we have just 1 certificate 
in that

list, and it's a non-trusted certificate (it was issued by a test CA).


Il 01/10/2018 15:43, Rob Stradling via dev-security-policy ha scritto:

On 01/10/2018 14:38, Adriano Santoni via dev-security-policy wrote:

Is it possible to filter the list https://crt.sh/?cablint=issues
based on the issuing CA ?


Yes.

First, visit this page:
https://crt.sh/?cablint=1+week

Next, click on the link in the "Issuer CN, OU or O" column that
corresponds to the issuing CA you're interested in.


Il 01/10/2018 15:26, Doug Beattie via dev-security-policy ha scritto:

Hi Wayne and all,


I've been noticing an increasing number of CA errors,
https://crt.sh/?cablint=issues  Is anyone monitoring this list and
asking

for misissuance reports for those that are not compliant? There 
are 15
different errors and around 300 individual errors (excluding the 
SHA-1

"false" errors).  Some CAs are issuing certs to CNs of localhost, are
including RFC822 SANs, not including OCSP links and many more.

-          Actalis,

-          Digicert,

-          Microsoft,

-



There are also some warning checks that should actually be errors 
like

underscores in CNs or SANs.


Doug





Attachment:
smime.p7s

Description: Firma crittografica S/MIME


_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy






















					Reply via email to