Yeah, it would be good to make it possible to filter
https://crt.sh/?cablint=1+week by trust context.
On 01/10/2018 15:07, Alex Gaynor wrote:
A broader issue is that a lot of the certs listed on these pages are
publicly-trusted, but not by the Mozilla Root Program, that is to say,
Microsoft or Apple (or occasionally Adobe) trusts them.
misissued.com <http://misissued.com> (which is currently erroring on all
requests 😬) tried to address this by only showing certificates from
CA's in the Mozilla Root Program, since that's the extent of our
jurisdiction (and CA's applying for inclusion, which in some cases are
ones which have a history of non-compliance under other root programs,
but there's no way to programatically tell if a CA is applying for
inclusion).
Alex
On Mon, Oct 1, 2018 at 10:05 AM Rob Stradling via dev-security-policy
<dev-security-policy@lists.mozilla.org
<mailto:dev-security-policy@lists.mozilla.org>> wrote:
On 01/10/2018 15:02, Doug Beattie via dev-security-policy wrote:
> Hi Adriano,
>
> First, I didn't mean to call you out specifically, but you
happened to be
> first alphabetically, sorry. I find this link very helpful to
list all CAs
> with errors or warnings: https://crt.sh/?cablint=1+week
>
> Second, How do you define a "test CA"? I thought that any CA
that chains to
> a public root was by definition not a test CA,
I agree with that.
> and since the issued cert was
> in CT logs, I assumed that your root was publicly trusted. Maybe I'm
> mistaken on one of these points
Actually, some non-publicly-trusted roots are accepted by some of the
logs that crt.sh monitors.
> Doug
>
> -----Original Message-----
> From: dev-security-policy
<dev-security-policy-boun...@lists.mozilla.org
<mailto:dev-security-policy-boun...@lists.mozilla.org>> On
> Behalf Of Adriano Santoni via dev-security-policy
> Sent: Monday, October 1, 2018 9:49 AM
> To: dev-security-policy@lists.mozilla.org
<mailto:dev-security-policy@lists.mozilla.org>
> Subject: Re: Increasing number of Errors found in crt.sh
>
> Thank you Rob!
>
> If I am not mistaken, it seems to me that we have just 1
certificate in that
> list, and it's a non-trusted certificate (it was issued by a test
CA).
>
>
> Il 01/10/2018 15:43, Rob Stradling via dev-security-policy ha
scritto:
>> On 01/10/2018 14:38, Adriano Santoni via dev-security-policy wrote:
>>> Is it possible to filter the list https://crt.sh/?cablint=issues
>>> based on the issuing CA ?
>>
>> Yes.
>>
>> First, visit this page:
>> https://crt.sh/?cablint=1+week
>>
>> Next, click on the link in the "Issuer CN, OU or O" column that
>> corresponds to the issuing CA you're interested in.
>>
>>> Il 01/10/2018 15:26, Doug Beattie via dev-security-policy ha
scritto:
>>>> Hi Wayne and all,
>>>>
>>>>
>>>> I've been noticing an increasing number of CA errors,
>>>> https://crt.sh/?cablint=issues Is anyone monitoring this list and
>>>> asking
>>>> for misissuance reports for those that are not compliant?
There are 15
>>>> different errors and around 300 individual errors (excluding
the SHA-1
>>>> "false" errors). Some CAs are issuing certs to CNs of
localhost, are
>>>> including RFC822 SANs, not including OCSP links and many more.
>>>>
>>>> - Actalis,
>>>>
>>>> - Digicert,
>>>>
>>>> - Microsoft,
>>>>
>>>> -
>>>>
>>>>
>>>> There are also some warning checks that should actually be
errors like
>>>> underscores in CNs or SANs.
>>>>
>>>>
>>>> Doug
--
Rob Stradling
Senior Research & Development Scientist
Email: r...@comodoca.com
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
<mailto:dev-security-policy@lists.mozilla.org>
https://lists.mozilla.org/listinfo/dev-security-policy
--
Rob Stradling
Senior Research & Development Scientist
Email: r...@comodoca.com
Bradford, UK
Office: +441274730505
ComodoCA.com
This message and any files associated with it may contain legally
privileged, confidential, or proprietary information. If you are not the
intended recipient, you are not permitted to use, copy, or forward it,
in whole or in part without the express consent of the sender. Please
notify the sender by reply email, disregard the foregoing messages, and
delete it immediately.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy