On 09/11/16 12:17, Nick Lamb wrote: > I am not always very clear on how Censys queries work, but I believe this > query is a useful starting point (within the limited context of Censys) > > current_valid_nss: true AND (NOT parsed.extensions.extended_key_usage:1)
That query produces 8,090 results over 324 pages. Does censys.io have a CSV export or similar? > A couple of examples that look to me as though they might be able to be > installed in a web server yet lack the EKU: > > https://censys.io/certificates/127f386498e3cfd330e40699b92efb68b72bfaa08af68f9a0fe959b1fea3ae9c This one's in the Federal Bridge maze. Not in crt.sh. I can't seem to use censys.io to work out why it thinks we trust it, because I thought that we didn't trust all of that stuff. > https://censys.io/certificates/c52d1aa01fbc3e7095d8c6336423590fdad7b003304f6b73ed835e36f8f802b3 Chains up to Globalsign's root. Revoked by the CA: https://crt.sh/?sha256=c52d1aa01fbc3e7095d8c6336423590fdad7b003304f6b73ed835e36f8f802b3 > I would be astonished if there were literally no certificates in use > on web servers which will get rejected as a result of this change. So > the question is how much pain it's worth and whether it helps to wait > another year or so. Am I right, though, that all such certs would be BR violations? Or is there something I've missed? Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
