Yeah, it would be good to make it possible to filter https://crt.sh/?cablint=1+week by trust context.

On 01/10/2018 15:07, Alex Gaynor wrote:
A broader issue is that a lot of the certs listed on these pages are publicly-trusted, but not by the Mozilla Root Program, that is to say, Microsoft or Apple (or occasionally Adobe) trusts them.

misissued.com <http://misissued.com> (which is currently erroring on all requests 😬)  tried to address this by only showing certificates from CA's in the Mozilla Root Program, since that's the extent of our jurisdiction (and CA's applying for inclusion, which in some cases are ones which have a history of non-compliance under other root programs, but there's no way to programatically tell if a CA is applying for inclusion).

Alex


On Mon, Oct 1, 2018 at 10:05 AM Rob Stradling via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org>> wrote:

    On 01/10/2018 15:02, Doug Beattie via dev-security-policy wrote:
     > Hi Adriano,
     >
     > First, I didn't mean to call you out specifically, but you
    happened to be
     > first alphabetically, sorry.  I find this link very helpful to
    list all CAs
     > with errors or warnings: https://crt.sh/?cablint=1+week
     >
     > Second, How do you define a "test CA"?  I thought that any CA
    that chains to
     > a public root was by definition not a test CA,

    I agree with that.

     > and since the issued cert was
     > in CT logs, I assumed that your root was publicly trusted.  Maybe I'm
     > mistaken on one of these points

    Actually, some non-publicly-trusted roots are accepted by some of the
    logs that crt.sh monitors.

     > Doug
     >
     > -----Original Message-----
     > From: dev-security-policy
    <dev-security-policy-boun...@lists.mozilla.org
    <mailto:dev-security-policy-boun...@lists.mozilla.org>> On
     > Behalf Of Adriano Santoni via dev-security-policy
     > Sent: Monday, October 1, 2018 9:49 AM
     > To: dev-security-policy@lists.mozilla.org
    <mailto:dev-security-policy@lists.mozilla.org>
     > Subject: Re: Increasing number of Errors found in crt.sh
     >
     > Thank you Rob!
     >
     > If I am not mistaken, it seems to me that we have just 1
    certificate in that
     > list, and it's a non-trusted certificate (it was issued by a test
    CA).
     >
     >
     > Il 01/10/2018 15:43, Rob Stradling via dev-security-policy ha
    scritto:
     >> On 01/10/2018 14:38, Adriano Santoni via dev-security-policy wrote:
     >>> Is it possible to filter the list https://crt.sh/?cablint=issues
     >>> based on the issuing CA ?
     >>
     >> Yes.
     >>
     >> First, visit this page:
     >> https://crt.sh/?cablint=1+week
     >>
     >> Next, click on the link in the "Issuer CN, OU or O" column that
     >> corresponds to the issuing CA you're interested in.
     >>
     >>> Il 01/10/2018 15:26, Doug Beattie via dev-security-policy ha
    scritto:
     >>>> Hi Wayne and all,
     >>>>
     >>>>
     >>>> I've been noticing an increasing number of CA errors,
     >>>> https://crt.sh/?cablint=issues  Is anyone monitoring this list and
     >>>> asking
     >>>> for misissuance reports for those that are not compliant?
    There are 15
     >>>> different errors and around 300 individual errors (excluding
    the SHA-1
     >>>> "false" errors).  Some CAs are issuing certs to CNs of
    localhost, are
     >>>> including RFC822 SANs, not including OCSP links and many more.
     >>>>
     >>>> -          Actalis,
     >>>>
     >>>> -          Digicert,
     >>>>
     >>>> -          Microsoft,
     >>>>
     >>>> -
     >>>>
     >>>>
     >>>> There are also some warning checks that should actually be
    errors like
     >>>> underscores in CNs or SANs.
     >>>>
     >>>>
     >>>> Doug

-- Rob Stradling
    Senior Research & Development Scientist
    Email: r...@comodoca.com

    _______________________________________________
    dev-security-policy mailing list
    dev-security-policy@lists.mozilla.org
    <mailto:dev-security-policy@lists.mozilla.org>
    https://lists.mozilla.org/listinfo/dev-security-policy


--
Rob Stradling
Senior Research & Development Scientist
Email: r...@comodoca.com
Bradford, UK
Office: +441274730505
ComodoCA.com

This message and any files associated with it may contain legally privileged, confidential, or proprietary information. If you are not the intended recipient, you are not permitted to use, copy, or forward it, in whole or in part without the express consent of the sender. Please notify the sender by reply email, disregard the foregoing messages, and delete it immediately.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to