On Wednesday, 9 November 2016 13:03:37 UTC, Gervase Markham wrote: > On 09/11/16 12:17, Nick Lamb wrote: > > > I am not always very clear on how Censys queries work, but I believe this > > query is a useful starting point (within the limited context of Censys) > > > > current_valid_nss: true AND (NOT parsed.extensions.extended_key_usage:1) > > That query produces 8,090 results over 324 pages. Does censys.io have a > CSV export or similar?
Censys.io has a RESTful API. They recommend using a Python library to access it. My Python is... crude and unidiomatic but functional - if it seems to me in this or some future thread that the group would benefit from a text dump of relevant certificates I will certainly make one. So far in this case I think it isn't so useful so I won't do it yet. > Am I right, though, that all such certs would be BR violations? Or is > there something I've missed? Yes, I think a public CA issuing a certificate for a web server or similar was obliged all the way from version 1 of the Baseline Requirements to add this EKU to the certificate. Since Firefox soon won't trust very old (SHA-1) certificates anyway, and has never intended to trust non-BR compliant Certificate Authorities such as the Federal Bridge, that seems to cover everything. Isn't there still some value in estimating the impact? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
