On 19/07/17 15:31, Jeremy Rowley via dev-security-policy wrote:
You should also filter out expired certs as they aren't usable.

I've added a 2nd tab that just shows unexpired certs. I'll also add a column to track the revocation status of each of these certs.

I've left the expired certs in the 1st tab, since they show historical issuance problems. Perhaps some of those CAs still have code bugs that need to be fixed.

On Jul 19, 2017, at 8:30 AM, Alex Gaynor via dev-security-policy 
<dev-security-policy@lists.mozilla.org> wrote:

I think there might be a bug in your SQL, one of the offending certs is
issued by "C=US, O=U.S. Government, OU=Department of Homeland Security,
OU=Certification Authorities, OU=DHS CA4", who are revoked using OneCRL.


On Wed, Jul 19, 2017 at 10:08 AM, Rob Stradling via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

On 18/07/17 16:57, Hanno Böck via dev-security-policy wrote:

(Due to limitations in the search methodology - scraping crt.sh
search results and looping through tlds - I only searched for ..tld. It
would certainly be valuable to search further.)

Here's a report of all "double dot" certs known to crt.sh that are useable
for server authentication and chain to a root trusted by Mozilla:


For anyone interested, here's the SQL I executed on the crt.sh DB to
produce this report:

SELECT c.ID, x509_notBefore(c.CERTIFICATE), x509_notAfter(c.CERTIFICATE),
array_to_string(array_agg(DISTINCT ci.NAME_VALUE), CHR(10)), ca.NAME
  FROM certificate_identity ci, ca, certificate c
    AND ci.NAME_TYPE IN ('dNSName', 'commonName')
    AND ci.ISSUER_CA_ID = ca.ID
      SELECT 1
        FROM ca_trust_purpose ctp
        WHERE ci.ISSUER_CA_ID = ctp.CA_ID
          AND ctp.TRUST_PURPOSE_ID = 1  -- Server Authentication
          AND ctp.TRUST_CONTEXT_ID = 5  -- Mozilla
    AND x509_isEKUPermitted(c.CERTIFICATE, '')
  GROUP BY c.ID, x509_notBefore(c.CERTIFICATE),
x509_notAfter(c.CERTIFICATE), ci.NAME_VALUE, ca.NAME
  ORDER BY ca.NAME, x509_notAfter(c.CERTIFICATE) DESC;

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

dev-security-policy mailing list

Reply via email to