And checking this site, how can Comodo have more certs with errors (15030) than certs issued (15020).
Regards ________________________________________ From: dev-security-policy <[email protected]> on behalf of Adriano Santoni via dev-security-policy <[email protected]> Sent: Monday, October 01, 2018 10:09 PM To: Rob Stradling; Doug Beattie Cc: mozilla-dev-security-policy Subject: Re: Increasing number of Errors found in crt.sh I also agree. As I said before, that's a non-trusted certificate. It was issued by a test CA that does /not/ chain to a public root. Il 01/10/2018 16:04, Rob Stradling ha scritto: > On 01/10/2018 15:02, Doug Beattie via dev-security-policy wrote: >> Hi Adriano, >> >> First, I didn't mean to call you out specifically, but you happened >> to be >> first alphabetically, sorry. I find this link very helpful to list >> all CAs >> with errors or warnings: https://crt.sh/?cablint=1+week >> >> Second, How do you define a "test CA"? I thought that any CA that >> chains to >> a public root was by definition not a test CA, > > I agree with that. > >> and since the issued cert was >> in CT logs, I assumed that your root was publicly trusted. Maybe I'm >> mistaken on one of these points > > Actually, some non-publicly-trusted roots are accepted by some of the > logs that crt.sh monitors. > >> Doug >> >> -----Original Message----- >> From: dev-security-policy >> <[email protected]> On >> Behalf Of Adriano Santoni via dev-security-policy >> Sent: Monday, October 1, 2018 9:49 AM >> To: [email protected] >> Subject: Re: Increasing number of Errors found in crt.sh >> >> Thank you Rob! >> >> If I am not mistaken, it seems to me that we have just 1 certificate >> in that >> list, and it's a non-trusted certificate (it was issued by a test CA). >> >> >> Il 01/10/2018 15:43, Rob Stradling via dev-security-policy ha scritto: >>> On 01/10/2018 14:38, Adriano Santoni via dev-security-policy wrote: >>>> Is it possible to filter the list https://crt.sh/?cablint=issues >>>> based on the issuing CA ? >>> >>> Yes. >>> >>> First, visit this page: >>> https://crt.sh/?cablint=1+week >>> >>> Next, click on the link in the "Issuer CN, OU or O" column that >>> corresponds to the issuing CA you're interested in. >>> >>>> Il 01/10/2018 15:26, Doug Beattie via dev-security-policy ha scritto: >>>>> Hi Wayne and all, >>>>> >>>>> >>>>> I've been noticing an increasing number of CA errors, >>>>> https://crt.sh/?cablint=issues Is anyone monitoring this list and >>>>> asking >>>>> for misissuance reports for those that are not compliant? There >>>>> are 15 >>>>> different errors and around 300 individual errors (excluding the >>>>> SHA-1 >>>>> "false" errors). Some CAs are issuing certs to CNs of localhost, are >>>>> including RFC822 SANs, not including OCSP links and many more. >>>>> >>>>> - Actalis, >>>>> >>>>> - Digicert, >>>>> >>>>> - Microsoft, >>>>> >>>>> - >>>>> >>>>> >>>>> There are also some warning checks that should actually be errors >>>>> like >>>>> underscores in CNs or SANs. >>>>> >>>>> >>>>> Doug > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
