Re: Discovering unlogged certificates in internet-wide scans

2018-04-12 Thread Tim Smith via dev-security-policy
Hi Stephen, Thank you for the correction; I regret the error. On Tue, Apr 10, 2018 at 8:12 AM Stephen Davidson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > These certificates are compliant with the BR and contain the required > extKeyUsage values for both id-kp-serve

Re: Discovering unlogged certificates in internet-wide scans

2018-04-09 Thread Tim Smith via dev-security-policy
On Mon, Apr 9, 2018 at 9:46 AM Daymion Reynolds via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > As an FYI only: > > We did review the one cert cited below for term length. The certificate > was issued in 2013 before the current max term duration was defined. This > cert

Re: Discovering unlogged certificates in internet-wide scans

2018-03-31 Thread Tim Smith via dev-security-policy
On Sat, Mar 31, 2018 at 6:28 PM, Michael Casadevall via dev-security-policy wrote: > Pretty interesting read, and always happy to see more information go > into CT. One thing I couldn't divine from your data was how did you look > for non-HTTPS services? Did you port scan and do service discovery,

Re: Discovering unlogged certificates in internet-wide scans

2018-03-31 Thread Tim Smith via dev-security-policy
On Sat, Mar 31, 2018 at 3:26 PM, Kurt Roeckx wrote: > Have you done the for their other scans? I haven't. The Rapid7 HTTPS corpus is much larger; I'm not sure my approach will scale that far and I imagine the new discovery rate will be lower. Censys has been interested in submitting new certific

Discovering unlogged certificates in internet-wide scans

2018-03-31 Thread Tim Smith via dev-security-policy
Hi MDSP, I went looking for corpuses of certificates that may not have been previously logged to CT and found some in the Rapid7 "More SSL" dataset, which captures certificates from their scans of non-HTTPS ports for TLS-speaking services. I wrote up some findings at http://blog.tim-smith.us/2018

Re: Public trust of VISA's CA

2018-02-14 Thread Tim Smith via dev-security-policy
On Wednesday, February 14, 2018 at 8:43:19 AM UTC-8, Wayne Thayer wrote: > In this particular case, my conclusion is that the existing Mozilla > process is working. We have documented a number of issues that when > considered in aggregate warrant an investigation. Hi Wayne, Forgive me if I'm over

Re: Public trust of VISA's CA

2017-10-03 Thread Tim Smith via dev-security-policy
On Tuesday, September 19, 2017 at 8:13:26 AM UTC-7, Gervase Markham wrote: > In the light of this, I believe it is reasonable to discuss the question > of whether Visa's PKI (and, specifically, the VISA eCommerce Root, > https://crt.sh/?id=896972 , which is the one includes in our store) > meets th