Hi Adriano, First, I didn't mean to call you out specifically, but you happened to be first alphabetically, sorry. I find this link very helpful to list all CAs with errors or warnings: https://crt.sh/?cablint=1+week
Second, How do you define a "test CA"? I thought that any CA that chains to a public root was by definition not a test CA, and since the issued cert was in CT logs, I assumed that your root was publicly trusted. Maybe I'm mistaken on one of these points Doug -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Adriano Santoni via dev-security-policy Sent: Monday, October 1, 2018 9:49 AM To: dev-security-policy@lists.mozilla.org Subject: Re: Increasing number of Errors found in crt.sh Thank you Rob! If I am not mistaken, it seems to me that we have just 1 certificate in that list, and it's a non-trusted certificate (it was issued by a test CA). Il 01/10/2018 15:43, Rob Stradling via dev-security-policy ha scritto: > On 01/10/2018 14:38, Adriano Santoni via dev-security-policy wrote: >> Is it possible to filter the list https://crt.sh/?cablint=issues >> based on the issuing CA ? > > Yes. > > First, visit this page: > https://crt.sh/?cablint=1+week > > Next, click on the link in the "Issuer CN, OU or O" column that > corresponds to the issuing CA you're interested in. > >> Il 01/10/2018 15:26, Doug Beattie via dev-security-policy ha scritto: >>> Hi Wayne and all, >>> >>> >>> I've been noticing an increasing number of CA errors, >>> https://crt.sh/?cablint=issues Is anyone monitoring this list and >>> asking >>> for misissuance reports for those that are not compliant? There are 15 >>> different errors and around 300 individual errors (excluding the SHA-1 >>> "false" errors). Some CAs are issuing certs to CNs of localhost, are >>> including RFC822 SANs, not including OCSP links and many more. >>> >>> - Actalis, >>> >>> - Digicert, >>> >>> - Microsoft, >>> >>> - >>> >>> >>> There are also some warning checks that should actually be errors like >>> underscores in CNs or SANs. >>> >>> >>> Doug >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy