> On Jun 16, 2017, at 05:00, Rob Stradling via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > On 16/06/17 06:05, Tavis Ormandy via dev-security-policy wrote: >> Hello, I was crawling the pkcs7 blobs in public pdf files and found some >> intermediate certificates that don't appear in crt.sh. >> I forwarded them to Rob, I don't know if this is useful to anyone else, but >> they're available here. >> https://lock.cmpxchg8b.com/intermediates.zip >> Tavis. > > Thanks Tavis. I've just submitted all of these intermediates to some CT logs. > > This list just grew considerably... > https://crt.sh/mozilla-disclosures#undisclosed
For posterity, here are the new ones (from June 14 to present, there are seven others predating this batch that are still on the list): - https://crt.sh/?sha256=a6ca043d5c838dd10e935acdd1079c9686b6511faf4c80c4dcfc9c54394ded5e - https://crt.sh/?sha256=6365b25e9299b5f382eb0066850629088ebcd9bcb398f28622107603c3c1c27e - https://crt.sh/?sha256=d57b9872b1eef8e8032ab2e8cb0e63b685d1655c51c454f23f9975dfa2ad7e0a - https://crt.sh/?sha256=077b75f6b7fa71be4f8121e1ec52faebca0d0aed2dc01711a0f6dcdc38e7bf38 - https://crt.sh/?sha256=7fa8450051bac3efd7ea4dbbd070075d7e7b7d27f3f119e6fa1f7103b8a89f24 - https://crt.sh/?sha256=3b84290532c84b7026e06a427b689c69fe24154bdecb43fedbe29bf955ca6513 - https://crt.sh/?sha256=5d1f493bb09823decc8a6e35a23d04c83778d854a43b34686a363d6f4bb287c2 I think it would be useful to see incident reports from each of the CAs so that we can understand how these trusted intermediate certificates, all issued several years ago, were missed. Jonathan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
