Hi Rob, I know that there is a discussion regarding "bits of entropy" or "unpredictable bits" in certificate serial number. I do not familiar with this topic, but my gut feeling is that "unpredictable bits" is relatively subjective.
What is your definition of "bits of entropy" used in crt.sh? Could you elaborate a bit more on how "bits of entropy" is verified? Cheers, Man On 4/28/2016 7:31 PM, Rob Stradling wrote: > On 28/04/16 01:15, Richard Barnes wrote: >> Dear CAs, >> >> As you guys are working toward the June 30 deadline for disclosing >> intermediate certificates in SalesForce, I thought I would share some >> notes >> on the undisclosed certificates that we're seeing, so that you can make >> sure you get them all uploaded. >> >> Zakir Durumeric from UMich/Censys.io has helpfully compiled a list of CA >> certificates that have been observed in Censys scans of the Internet, >> and >> noted which of those certificates are not in SalesForce so far. > > Also, crt.sh now regularly downloads > https://wiki.mozilla.org/CA:SubordinateCAcerts and automatically links > the audit info to the relevant CA certificates. > (Example: https://crt.sh/?id=3706739) > > I'm aiming to produce an (automatically updated) list of CA > certificates that are known to CT but are not (yet) in SalesForce. > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
