Re: Increasing number of Errors found in crt.sh

Mon, 01 Oct 2018 06:56:05 -0700 

On 01/10/2018 14:48, Adriano Santoni via dev-security-policy wrote:

Thank you Rob!
If I am not mistaken, it seems to me that we have just 1 certificate in that list, and it's a non-trusted certificate (it was issued by a test CA). 

For certs issued (and logged) within the last 1 week, yes, that's correct.
The summary page only deals with the past 1 week. However, once you click on a link to (for example) https://crt.sh/?caid=31477&opt=cablint ("Actalis Domain Validation Server CA G1"), there's an undocumented feature...
Add "minNotBefore=YYYY-MM-DD" to the URL to view linting info on older certs issued by that CA. 
e.g., https://crt.sh/?caid=31477&opt=cablint&minNotBefore=2018-01-01
(This feature is undocumented because not all historical certs have been linted by crt.sh). 


Il 01/10/2018 15:43, Rob Stradling via dev-security-policy ha scritto:

On 01/10/2018 14:38, Adriano Santoni via dev-security-policy wrote:
Is it possible to filter the list https://crt.sh/?cablint=issues based on the issuing CA ? 

Yes.

First, visit this page:
https://crt.sh/?cablint=1+week
Next, click on the link in the "Issuer CN, OU or O" column that corresponds to the issuing CA you're interested in. 


Il 01/10/2018 15:26, Doug Beattie via dev-security-policy ha scritto:

Hi Wayne and all,


I've been noticing an increasing number of CA errors,
https://crt.sh/?cablint=issues  Is anyone monitoring this list and asking 
for misissuance reports for those that are not compliant? There are 15
different errors and around 300 individual errors (excluding the SHA-1
"false" errors).  Some CAs are issuing certs to CNs of localhost, are
including RFC822 SANs, not including OCSP links and many more.

-          Actalis,

-          Digicert,

-          Microsoft,

-


There are also some warning checks that should actually be errors like
underscores in CNs or SANs.


Doug


--
Rob Stradling
Senior Research & Development Scientist
Email: r...@comodoca.com

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to