On 25/04/17 23:50, Ryan Sleevi via dev-security-policy wrote:
Continuing to look through the audits, I happened to notice a few other
things that stood out, some more pressing than others.

More pressing:
I can find no disclosure with Salesforce or crt.sh of at least two CAs that
are listed 'in scope' of the audit report, as part of

Hi Ryan. Today I went hunting for missing intermediate certificates. I produced a list of all the AIA:caIssuers URLs from all certs known to crt.sh. Then I downloaded and parsed all of them, attempting to decode each file as DER cert, PEM cert, DER PKCS#7 and PEM PKCS#7. Then I submitted the previously unseen certs to CT.

This audit report identifies the "SureID Inc. CA2" and "SureID Inc. Device
CA2" as within scope for this audit. It would be useful to understand their
lack of disclosure, relative to the audits and to Section 5.3.2 of the
inclusion policy.

Those two now appear here:

https://crt.sh/mozilla-disclosures#undisclosed currently lists these two SureID intermediates plus a further VeriSign intermediate (https://crt.sh/?id=129148836) that should've been disclosed to CCADB some time ago.

(Note: A few of the non-Symantec entries currently listed by https://crt.sh/mozilla-disclosures#undisclosed are false positives, I think. It looks like Kathleen has marked some roots as "Removed" on CCADB ahead of the corresponding certdata.txt update on mozilla-central).

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
dev-security-policy mailing list

Reply via email to