On 01/10/2018 16:51, Rob Stradling via dev-security-policy wrote:
Hi Iñigo.

I suspect it's because my script that produces the 1 week summary data [1] isn't using a consistent view of the underlying linting results throughout its processing.  Hopefully this [2] will fix it.

Doh.  [2] was ineffective.  I'll have another look at this sometime.

100% errors from that Comodo issuing CA is because it's issuing SHA-1 certs that chain to a no-longer-publicly-trusted root.


[1] https://github.com/crtsh/certwatch_db/blob/master/lint_update_1week_stats.sql

[2] https://github.com/crtsh/certwatch_db/commit/8ce0c96c9c50bfb51db33c6f44c9c1d1a9f5a96c

On 01/10/2018 15:35, Inigo Barreira wrote:
And checking this site, how can Comodo have more certs with errors (15030) than certs issued (15020).

Regards
________________________________________
From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> on behalf of Adriano Santoni via dev-security-policy <dev-security-policy@lists.mozilla.org>
Sent: Monday, October 01, 2018 10:09 PM
To: Rob Stradling; Doug Beattie
Cc: mozilla-dev-security-policy
Subject: Re: Increasing number of Errors found in crt.sh

I also agree.

As I said before, that's a non-trusted certificate. It was issued by a
test CA that does /not/ chain to a public root.


Il 01/10/2018 16:04, Rob Stradling ha scritto:
On 01/10/2018 15:02, Doug Beattie via dev-security-policy wrote:
Hi Adriano,

First, I didn't mean to call you out specifically, but you happened
to be
first alphabetically, sorry.  I find this link very helpful to list
all CAs
with errors or warnings: https://crt.sh/?cablint=1+week

Second, How do you define a "test CA"?  I thought that any CA that
chains to
a public root was by definition not a test CA,

I agree with that.

and since the issued cert was
in CT logs, I assumed that your root was publicly trusted. Maybe I'm
mistaken on one of these points

Actually, some non-publicly-trusted roots are accepted by some of the
logs that crt.sh monitors.

Doug

-----Original Message-----
From: dev-security-policy
<dev-security-policy-boun...@lists.mozilla.org> On
Behalf Of Adriano Santoni via dev-security-policy
Sent: Monday, October 1, 2018 9:49 AM
To: dev-security-policy@lists.mozilla.org
Subject: Re: Increasing number of Errors found in crt.sh

Thank you Rob!

If I am not mistaken, it seems to me that we have just 1 certificate
in that
list, and it's a non-trusted certificate (it was issued by a test CA).


Il 01/10/2018 15:43, Rob Stradling via dev-security-policy ha scritto:
On 01/10/2018 14:38, Adriano Santoni via dev-security-policy wrote:
Is it possible to filter the list https://crt.sh/?cablint=issues
based on the issuing CA ?

Yes.

First, visit this page:
https://crt.sh/?cablint=1+week

Next, click on the link in the "Issuer CN, OU or O" column that
corresponds to the issuing CA you're interested in.

Il 01/10/2018 15:26, Doug Beattie via dev-security-policy ha scritto:
Hi Wayne and all,


I've been noticing an increasing number of CA errors,
https://crt.sh/?cablint=issues  Is anyone monitoring this list and
asking
for misissuance reports for those that are not compliant? There
are 15
different errors and around 300 individual errors (excluding the
SHA-1
"false" errors).  Some CAs are issuing certs to CNs of localhost, are
including RFC822 SANs, not including OCSP links and many more.

-          Actalis,

-          Digicert,

-          Microsoft,

-


There are also some warning checks that should actually be errors
like
underscores in CNs or SANs.


Doug



--
Rob Stradling
Senior Research & Development Scientist
Email: r...@comodoca.com
Bradford, UK
Office: +441274730505
ComodoCA.com

This message and any files associated with it may contain legally privileged, confidential, or proprietary information. If you are not the intended recipient, you are not permitted to use, copy, or forward it, in whole or in part without the express consent of the sender. Please notify the sender by reply email, disregard the foregoing messages, and delete it immediately.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to