This list does include those, e.g.: https://censys.io/certificates/376377fd1faf4b8a5b1472647a70b941039a62d74cfe99447e48616f8d63a978
I would note for completeness that a CA without any EKU extension at all would be considered "capable of being used to issue new [SSL] certificates" and thus required to be disclosed. It also appears to contain name constrained certificates, which I believe are also exempt from disclosure (assuming the meet the full definition for Technically Constrained). https://censys.io/certificates/4e63f142401a84f8a473d6ddee341a161fada86d3430c8c2c534536413d9db97 So this is a fairly rough first cut. I'll work with Zakir to refine it and provide a better SNR for everyone. On Wed, Apr 27, 2016 at 9:11 PM, Wayne Thayer <[email protected]> wrote: > My understanding is that CAs are not to add CAs with an EKU extension that > doesn't include anyEKU or serverAuth, but this list appears to include > those? > > Thanks, > > Wayne > > > -----Original Message----- > > From: dev-security-policy [mailto:dev-security-policy- > > [email protected]] On Behalf Of Richard > > Barnes > > Sent: Wednesday, April 27, 2016 5:16 PM > > To: [email protected] > > Cc: Zakir Durumeric <[email protected]> > > Subject: Undisclosed CA certificates > > > > Dear CAs, > > > > As you guys are working toward the June 30 deadline for disclosing > > intermediate certificates in SalesForce, I thought I would share some > notes > > on the undisclosed certificates that we're seeing, so that you can make > sure > > you get them all uploaded. > > > > Zakir Durumeric from UMich/Censys.io has helpfully compiled a list of CA > > certificates that have been observed in Censys scans of the Internet, and > > noted which of those certificates are not in SalesForce so far. > > > > I've posted the list here for your reference: > > https://gist.github.com/bifurcation/bf994d9fc3753f78472da8233da1fe52 > > > > Note that this list is static, so if you add a certificate to > SalesForce, it won't > > instantly disappear from this list. But we'll try to update it every so > often as > > we approach June 30, and will notify this list when we do. > > > > Cheers, > > --Richard > > _______________________________________________ > > dev-security-policy mailing list > > [email protected] > > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
