On 02/08/16 14:46, Peter Bowen wrote:
On Tue, Aug 2, 2016 at 5:11 AM, Nick Lamb <tialara...@gmail.com> wrote:
Rob, today I examined https://crt.sh/mozilla-disclosures because I was interested to see if the now
expired signature from Symantec's "VeriSign Class 3 SSP Intermediate CA - G2" of
"Federal Bridge CA 2013" had the expected effect.
I understand that traversing a network with known and potentially unknown loops in it is
tricky to do correctly, so I am not sure whether the fact that a large number of "US
Government" CAs are still listed as Unconstrained id-kp-serverAuth Trust reflects a
problem with that traversal or a real, previously undetected trust relationship that I
wasn't able to spot by eye.
Nick,
I believe this to be a bug in crt.sh. I have a local copy of all the
cross-certificates and the US Federal PKI and subordinate CAs from
there do not appear in the current trust graph.
Thanks,
Peter
Nick, Peter,
I looked at https://crt.sh/mozilla-disclosures immediately after the
Symantec cross-cert expired, and I was surprised to see no change. I
was on holiday all last week, so I'm only just investigating it properly
now.
I suspect crt.sh is getting confused by the combination of the expired
Symantec cross-cert and the revoked Identrust cross-cert. If they'd
both expired or both been revoked, I suspect this (presumed) bug would
not have been discovered.
I'm going to try changing
"Unconstrained, but all observed paths Revoked"
to
"Unconstrained, but all unexpired observed paths Revoked"
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
