On 17/05/2019 07:21, Jakob Bohm wrote: > On 17/05/2019 01:39, Wayne Thayer wrote: >> On Thu, May 16, 2019 at 4:23 PM Wayne Thayer <wtha...@mozilla.com> wrote: >> >> I will soon file a bug requesting removal of the “Certinomis - Root CA” >>> from NSS. >>> >> >> This is https://bugzilla.mozilla.org/show_bug.cgi?id=1552374 >> > > To more accurately assess the impact of distrust, maybe someone with > better crt.sh skills than me should produce a list of current > certificates filtered as follows: > > - Sort by O= (organization), thus grouping together certificates that > were issued to the same organization (for example, there are many > issued to divisions of LA POSTE). > - Exclude certificates that expire on or before 2019-08-31, as those > will be unaffected by a September distrust. > - Exclude certificates issued after 2019-05-17 (today), as Certinomis > should be aware of the likely distrust by tonight. >
To clarify, this is intended as an improvement to the statistics Andrew Ayer posted at https://bugzilla.mozilla.org/show_bug.cgi?id=1552374#c1 . I am posting it in the thread to increase the chance someone with the skills will see it and run the query. I expect it to show a surprisingly small number of certificate holders, indicating the real impact of revocation to be much smaller than one would expect from the raw count of 1381 certificates. This in turn could inform the mitigations or other proactive steps to reduce relying party (user) impact of distrust, if distrust is accepted by Kathleen. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
