RE: Increasing number of Errors found in crt.sh

Mon, 01 Oct 2018 07:02:54 -0700 

Hi Adriano,

First, I didn't mean to call you out specifically, but you happened to be
first alphabetically, sorry.  I find this link very helpful to list all CAs
with errors or warnings: https://crt.sh/?cablint=1+week 

Second, How do you define a "test CA"?  I thought that any CA that chains to
a public root was by definition not a test CA, and since the issued cert was
in CT logs, I assumed that your root was publicly trusted.  Maybe I'm
mistaken on one of these points

Doug

-----Original Message-----
From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On
Behalf Of Adriano Santoni via dev-security-policy
Sent: Monday, October 1, 2018 9:49 AM
To: dev-security-policy@lists.mozilla.org
Subject: Re: Increasing number of Errors found in crt.sh

Thank you Rob!

If I am not mistaken, it seems to me that we have just 1 certificate in that
list, and it's a non-trusted certificate (it was issued by a test CA).


Il 01/10/2018 15:43, Rob Stradling via dev-security-policy ha scritto:
> On 01/10/2018 14:38, Adriano Santoni via dev-security-policy wrote:
>> Is it possible to filter the list https://crt.sh/?cablint=issues 
>> based on the issuing CA ?
>
> Yes.
>
> First, visit this page:
> https://crt.sh/?cablint=1+week
>
> Next, click on the link in the "Issuer CN, OU or O" column that 
> corresponds to the issuing CA you're interested in.
>
>> Il 01/10/2018 15:26, Doug Beattie via dev-security-policy ha scritto:
>>> Hi Wayne and all,
>>>
>>>
>>> I've been noticing an increasing number of CA errors,
>>> https://crt.sh/?cablint=issues  Is anyone monitoring this list and 
>>> asking
>>> for misissuance reports for those that are not compliant? There are 15
>>> different errors and around 300 individual errors (excluding the SHA-1
>>> "false" errors).  Some CAs are issuing certs to CNs of localhost, are
>>> including RFC822 SANs, not including OCSP links and many more.
>>>
>>> -          Actalis,
>>>
>>> -          Digicert,
>>>
>>> -          Microsoft,
>>>
>>> -
>>>
>>>
>>> There are also some warning checks that should actually be errors like
>>> underscores in CNs or SANs.
>>>
>>>
>>> Doug
>

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to