On 19/07/17 15:31, Jeremy Rowley via dev-security-policy wrote:
You should also filter out expired certs as they aren't usable.
I've added a 2nd tab that just shows unexpired certs. I'll also add a
column to track the revocation status of each of these certs.
I've left the expired certs in the 1st tab, since they show historical
issuance problems. Perhaps some of those CAs still have code bugs that
need to be fixed.
On Jul 19, 2017, at 8:30 AM, Alex Gaynor via dev-security-policy
I think there might be a bug in your SQL, one of the offending certs is
issued by "C=US, O=U.S. Government, OU=Department of Homeland Security,
OU=Certification Authorities, OU=DHS CA4", who are revoked using OneCRL.
On Wed, Jul 19, 2017 at 10:08 AM, Rob Stradling via dev-security-policy <
On 18/07/17 16:57, Hanno Böck via dev-security-policy wrote:
(Due to limitations in the search methodology - scraping crt.sh
search results and looping through tlds - I only searched for ..tld. It
would certainly be valuable to search further.)
Here's a report of all "double dot" certs known to crt.sh that are useable
for server authentication and chain to a root trusted by Mozilla:
For anyone interested, here's the SQL I executed on the crt.sh DB to
produce this report:
SELECT c.ID, x509_notBefore(c.CERTIFICATE), x509_notAfter(c.CERTIFICATE),
array_to_string(array_agg(DISTINCT ci.NAME_VALUE), CHR(10)), ca.NAME
FROM certificate_identity ci, ca, certificate c
WHERE ci.NAME_VALUE LIKE '%..%'
AND ci.NAME_TYPE IN ('dNSName', 'commonName')
AND ci.ISSUER_CA_ID = ca.ID
AND ci.CERTIFICATE_ID = c.ID
AND EXISTS (
FROM ca_trust_purpose ctp
WHERE ci.ISSUER_CA_ID = ctp.CA_ID
AND ctp.TRUST_PURPOSE_ID = 1 -- Server Authentication
AND ctp.TRUST_CONTEXT_ID = 5 -- Mozilla
AND x509_isEKUPermitted(c.CERTIFICATE, '22.214.171.124.126.96.36.199.1')
GROUP BY c.ID, x509_notBefore(c.CERTIFICATE),
x509_notAfter(c.CERTIFICATE), ci.NAME_VALUE, ca.NAME
ORDER BY ca.NAME, x509_notAfter(c.CERTIFICATE) DESC;
Senior Research & Development Scientist
COMODO - Creating Trust Online
dev-security-policy mailing list