On Tue, Nov 8, 2016 at 8:18 AM, Gervase Markham <[email protected]> wrote: > Of course, if intermediates aren't disclosed, we can't be certain what > they are, but crt.sh has a good idea of many of them: > https://crt.sh/mozilla-disclosures#undisclosed > > There is also a list on that page of certs which CAs have disclosed but > not provided audit info, but given that you can get off that list by > putting _anything_ in the relevant box in Salesforce, I'm worried about > perverse incentives if we go after people on that list at the moment: > https://crt.sh/mozilla-disclosures#disclosureincomplete
Can the "undisclosed" list be broken down further into "CA not disclosed at all" versus "missing disclosure of some cross-certificate"? For example, ACCVCA-130 is listed under both "Disclosed" and "Unconstrained id-kp-serverAuth Trust". https://crt.sh/?sha256=572bf899fd774362dc19219625ecc157bb55434ea5166d5758dc4b4f890d6653&opt=mozilladisclosure (Disclosed) https://crt.sh/?sha256=8f7cc455e9a5507804120655d7139186253e43b00422e734263a0769d2f89f7d&opt=mozilladisclosure (Not Disclosed) I was very confused about this aspect of the tool, as I know other CAs were, because full audit details were provided for the subordinate CA. The problem is that the Salesforce system is treating cross-certificates as independent even if they have the same subject info (DN, SKI, and KeyId). > Anyway, considering the first list: what do we do? I'm not particularly > in favour of sending another nagging email. We could just un-trust the > lot, but that might be quite impactful. So here's my proposal: we play > Russian Roulette. We choose 3 certs from the list each week and add them > to OneCRL, and email the CAs concerned to tell them we've done it. > Hopefully after a few weeks, they'll get the message. Why not focus first on the Root CA operators that have failed to disclose _anything_? From the crt.sh report, it looks like Visa, TurkTrust, SECOM Trust Systems Co. Ltd., RSA the Security Division of EMC, Government of Taiwan: Government Root Certification Authority (GRCA), Government of Japan: Ministry of Internal Affairs and Communications, e-tugra, and certSIGN have entered zero disclosures. Have they responses to any CA communications? Have they even established Salesforce accounts? Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
