Is there a way to filter out the revoked and non-TLS/SMIME ICAs?  

-----Original Message-----
From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On 
Behalf Of Rob Stradling via dev-security-policy
Sent: Wednesday, June 17, 2020 5:07 AM
To: dev-security-policy <dev-security-policy@lists.mozilla.org>
Subject: crt.sh: CA Issuers monitor (was Re: CA Issuer AIA URL content types)

Inspired by last month's email threads and Bugzilla issues relating to CA 
Issuers misconfigurations, I've just finished adding a new feature to crt.sh...

https://crt.sh/ca-issuers

Sadly, this highlights plenty of misconfigurations and other problems: PEM 
instead of DER, certs for the wrong CAs, wrong Content-Types, 404s, 
non-existent domain names, connection timeouts.  I encourage CAs to take a look 
and see what they can fix.  (Also, comments welcome :-) ).

While I'm here, here's a quick reminder of some other crt.sh features relating 
to CA compliance issues:
https://crt.sh/ocsp-responders
https://crt.sh/test-websites
https://crt.sh/mozilla-disclosures

________________________________
From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> on 
behalf of Ryan Sleevi via dev-security-policy 
<dev-security-policy@lists.mozilla.org>
Sent: 22 May 2020 21:52
To: Hanno Böck <ha...@hboeck.de>
Cc: r...@sleevi.com <r...@sleevi.com>; dev-security-policy@lists.mozilla.org 
<dev-security-policy@lists.mozilla.org>
Subject: Re: CA Issuer AIA URL content types

CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.


I believe you've still implied, even in this reply, that this is something 
serious or important. I see no reason to believe that is the case, and I wasn't 
sure if there was anything more than a "Here's a SHOULD and here's people not 
doing it," which doesn't seem that useful to me.

On Fri, May 22, 2020 at 2:52 PM Hanno Böck <ha...@hboeck.de> wrote:

> Hi,
>
> On Fri, 22 May 2020 09:55:22 -0400
> Ryan Sleevi via dev-security-policy
> <dev-security-policy@lists.mozilla.org> wrote:
>
> > Could you please cite more specifically what you believe is wrong 
> > here? This is only a SHOULD level requirement.
>
> I think I said that more or less:
>
> > > I'm not going to file individual reports for the CAs. Based on 
> > > previous threads I don't believe these are strictly speaking rule 
> > > violations.
>
> I'm not claiming this is a severe issue or anything people should be 
> worried about.
> It's merely that while analyzing some stuff I observed that AIA fields 
> aren't as reliable as one might want (see also previous mails) and the 
> mime types are one more observation I made where things aren't what 
> they probably SHOULD be.
> I thought I'd share this observation with the community.
>
> --
> Hanno Böck
> https://hboeck.de/
>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to