Thanks Wayne.
Rob, Adriano : I had no idea that crt.sh included logs that supported test roots or roots that weren’t in some/all root programs. I assumed these were all production level roots that needed to comply with the BRs. Thanks for that tid-bit! Alex: I’ll keep an eye on https://misissued.com and use that as a better, more filtered report once it returns to life. Doug From: Wayne Thayer <wtha...@mozilla.com> Sent: Monday, October 1, 2018 2:58 PM To: Doug Beattie <doug.beat...@globalsign.com> Cc: mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Increasing number of Errors found in crt.sh Doug, Responding to your original question, I look at crt.sh and other data sources for certificate errors when reviewing inclusion requests or doing other sorts of investigations. I am not currently reviewing the crt.sh report for misissuance on a regular basis, but maybe I should. I went through the current list and identified the following problems affecting certificates trusted by Mozilla: * KIR S.A.: Multiple issues - https://bugzilla.mozilla.org/show_bug.cgi?id=1495497 * Government of Spain FNMT: OU exceeds 64 characters - https://bugzilla.mozilla.org/show_bug.cgi?id=1495507 * Assecco DS (Certum): Unallowed key usage for EC public key - https://bugzilla.mozilla.org/show_bug.cgi?id=1495518 * Certinomis: issued & revoked a precertificate containing a SAN of 'www', didn't report it - https://bugzilla.mozilla.org/show_bug.cgi?id=1495524 - Wayne On Mon, Oct 1, 2018 at 8:51 AM Rob Stradling via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> > wrote: Hi Iñigo. I suspect it's because my script that produces the 1 week summary data [1] isn't using a consistent view of the underlying linting results throughout its processing. Hopefully this [2] will fix it. 100% errors from that Comodo issuing CA is because it's issuing SHA-1 certs that chain to a no-longer-publicly-trusted root. [1] https://github.com/crtsh/certwatch_db/blob/master/lint_update_1week_stats.sql [2] https://github.com/crtsh/certwatch_db/commit/8ce0c96c9c50bfb51db33c6f44c9c1d1a9f5a96c On 01/10/2018 15:35, Inigo Barreira wrote: > And checking this site, how can Comodo have more certs with errors (15030) > than certs issued (15020). > > Regards > ________________________________________ > From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org > <mailto:dev-security-policy-boun...@lists.mozilla.org> > on behalf of Adriano > Santoni via dev-security-policy <dev-security-policy@lists.mozilla.org > <mailto:dev-security-policy@lists.mozilla.org> > > Sent: Monday, October 01, 2018 10:09 PM > To: Rob Stradling; Doug Beattie > Cc: mozilla-dev-security-policy > Subject: Re: Increasing number of Errors found in crt.sh > > I also agree. > > As I said before, that's a non-trusted certificate. It was issued by a > test CA that does /not/ chain to a public root. > > > Il 01/10/2018 16:04, Rob Stradling ha scritto: >> On 01/10/2018 15:02, Doug Beattie via dev-security-policy wrote: >>> Hi Adriano, >>> >>> First, I didn't mean to call you out specifically, but you happened >>> to be >>> first alphabetically, sorry. I find this link very helpful to list >>> all CAs >>> with errors or warnings: https://crt.sh/?cablint=1+week >>> >>> Second, How do you define a "test CA"? I thought that any CA that >>> chains to >>> a public root was by definition not a test CA, >> >> I agree with that. >> >>> and since the issued cert was >>> in CT logs, I assumed that your root was publicly trusted. Maybe I'm >>> mistaken on one of these points >> >> Actually, some non-publicly-trusted roots are accepted by some of the >> logs that crt.sh monitors. >> >>> Doug >>> >>> -----Original Message----- >>> From: dev-security-policy >>> <dev-security-policy-boun...@lists.mozilla.org >>> <mailto:dev-security-policy-boun...@lists.mozilla.org> > On >>> Behalf Of Adriano Santoni via dev-security-policy >>> Sent: Monday, October 1, 2018 9:49 AM >>> To: dev-security-policy@lists.mozilla.org >>> <mailto:dev-security-policy@lists.mozilla.org> >>> Subject: Re: Increasing number of Errors found in crt.sh >>> >>> Thank you Rob! >>> >>> If I am not mistaken, it seems to me that we have just 1 certificate >>> in that >>> list, and it's a non-trusted certificate (it was issued by a test CA). >>> >>> >>> Il 01/10/2018 15:43, Rob Stradling via dev-security-policy ha scritto: >>>> On 01/10/2018 14:38, Adriano Santoni via dev-security-policy wrote: >>>>> Is it possible to filter the list https://crt.sh/?cablint=issues >>>>> based on the issuing CA ? >>>> >>>> Yes. >>>> >>>> First, visit this page: >>>> https://crt.sh/?cablint=1+week >>>> >>>> Next, click on the link in the "Issuer CN, OU or O" column that >>>> corresponds to the issuing CA you're interested in. >>>> >>>>> Il 01/10/2018 15:26, Doug Beattie via dev-security-policy ha scritto: >>>>>> Hi Wayne and all, >>>>>> >>>>>> >>>>>> I've been noticing an increasing number of CA errors, >>>>>> https://crt.sh/?cablint=issues Is anyone monitoring this list and >>>>>> asking >>>>>> for misissuance reports for those that are not compliant? There >>>>>> are 15 >>>>>> different errors and around 300 individual errors (excluding the >>>>>> SHA-1 >>>>>> "false" errors). Some CAs are issuing certs to CNs of localhost, are >>>>>> including RFC822 SANs, not including OCSP links and many more. >>>>>> >>>>>> - Actalis, >>>>>> >>>>>> - Digicert, >>>>>> >>>>>> - Microsoft, >>>>>> >>>>>> - >>>>>> >>>>>> >>>>>> There are also some warning checks that should actually be errors >>>>>> like >>>>>> underscores in CNs or SANs. >>>>>> >>>>>> >>>>>> Doug >> -- Rob Stradling Senior Research & Development Scientist Email: r...@comodoca.com Bradford, UK Office: +441274730505 ComodoCA.com This message and any files associated with it may contain legally privileged, confidential, or proprietary information. If you are not the intended recipient, you are not permitted to use, copy, or forward it, in whole or in part without the express consent of the sender. Please notify the sender by reply email, disregard the foregoing messages, and delete it immediately. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
