On 25/04/17 23:50, Ryan Sleevi via dev-security-policy wrote:
Continuing to look through the audits, I happened to notice a few other
things that stood out, some more pressing than others.
More pressing:
I can find no disclosure with Salesforce or crt.sh of at least two CAs that
are listed 'in scope' of the audit report, as part of
https://www.symantec.com/content/en/us/about/media/
repository/Symantec-NFSSP-WTCA_11-30-2016.pdf
Hi Ryan. Today I went hunting for missing intermediate certificates. I
produced a list of all the AIA:caIssuers URLs from all certs known to
crt.sh. Then I downloaded and parsed all of them, attempting to decode
each file as DER cert, PEM cert, DER PKCS#7 and PEM PKCS#7. Then I
submitted the previously unseen certs to CT.
This audit report identifies the "SureID Inc. CA2" and "SureID Inc. Device
CA2" as within scope for this audit. It would be useful to understand their
lack of disclosure, relative to the audits and to Section 5.3.2 of the
inclusion policy.
Those two now appear here:
https://crt.sh/?id=129400172
https://crt.sh/?id=129400151
https://crt.sh/mozilla-disclosures#undisclosed currently lists these two
SureID intermediates plus a further VeriSign intermediate
(https://crt.sh/?id=129148836) that should've been disclosed to CCADB
some time ago.
(Note: A few of the non-Symantec entries currently listed by
https://crt.sh/mozilla-disclosures#undisclosed are false positives, I
think. It looks like Kathleen has marked some roots as "Removed" on
CCADB ahead of the corresponding certdata.txt update on mozilla-central).
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy