On 02/03/16 14:56, Rob Stradling wrote:
<snip>
I've also added an "excludeCAs" parameter, which takes a comma-separated
list of crt.sh CA IDs.
To exclude SHA-1 certs issued by Symantec and Comodo from previously
trusted roots, try this:
https://crt.sh/?cablint=211&dir=^&sort=1&minNotBefore=2016-01-01&excludeCAs=7198,11000&group=none
I couldn't help but notice this SHA-1 precertificate issued by Symantec
a couple of days ago:
https://crt.sh/?id=13407116&opt=cablint
Dean, Rick, could you comment on this?
It doesn't seem to be related to the limited SHA-1 exception you
obtained for WorldPay. Any idea why the "Remediation:" [1] steps you
took in January didn't prevent the issuance of this precertificate?
Thanks.
[1] https://cabforum.org/pipermail/public/2016-January/006519.html
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
