On 09/11/16 13:02, Gervase Markham wrote: <snip> >> A couple of examples that look to me as though they might be able to be >> installed in a web server yet lack the EKU: >> >> https://censys.io/certificates/127f386498e3cfd330e40699b92efb68b72bfaa08af68f9a0fe959b1fea3ae9c > > This one's in the Federal Bridge maze. Not in crt.sh.
I just submitted it to the (really quick to include submitted certs) WoSign log, so this URL should work soon: https://crt.sh/?sha256=127f386498e3cfd330e40699b92efb68b72bfaa08af68f9a0fe959b1fea3ae9c > I can't seem to > use censys.io to work out why it thinks we trust it, because I thought > that we didn't trust all of that stuff. Paths from this cert up to an NSS built-in root do exist, but they all contain at least one expired or revoked intermediate. I'm guessing that Censys isn't considering the revocation status of intermediates in the manner that crt.sh does. See here: https://crt.sh/?caid=373&opt=mozilladisclosure <snip> -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
