As an FYI only:

We did review the one cert cited below for term length. The certificate was 
issued in 2013 before the current max term duration was defined.  This cert is 
grandfathered in and does not require revocation. In May of this year it 
expires.

regards,
Daymion

On Sunday, April 1, 2018 at 10:25:16 PM UTC-7, Eric Mill wrote:
> Did you submit the ~25K unexpired unlogged certs to CT?
> 
> On Sat, Mar 31, 2018 at 6:14 PM, Tim Smith via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
> 
> > Hi MDSP,
> >
> > I went looking for corpuses of certificates that may not have been
> > previously logged to CT and found some in the Rapid7 "More SSL" dataset,
> > which captures certificates from their scans of non-HTTPS ports for
> > TLS-speaking services.
> >
> > I wrote up some findings at
> > http://blog.tim-smith.us/2018/03/moressl-spelunking/.
> >
> > A few highlights include:
> > - of the ~10 million certificates in the corpus, about 20% had valid
> > signatures and chained to roots included in the Mozilla trust store
> > - about 50,000 of the 2 million trusted certificates had not previously
> > been logged
> > - about half of the novel certificates were unexpired
> >
> > There were interesting examples of unexpired, non-compliant, trusted
> > certificates chaining to issuers including GoDaddy, NetLock, Logius, and
> > Entrust. (I have not taken any action to inform issuers of these findings,
> > other than this message and by publishing the certificates to CT logs.)
> >
> > I welcome any feedback or questions about the value of the approach and the
> > findings.
> >
> > Thanks,
> > Tim
> > _______________________________________________
> > dev-security-policy mailing list
> > dev-security-policy@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-security-policy
> >
> 
> 
> 
> -- 
> konklone.com | @konklone <https://twitter.com/konklone>

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to