crt.sh deliberately doesn't monitor any of Google's dedicated test logs
(Testtube, Crucible, Solera20XX), but it does monitor some multi-purpose
logs that are sometimes used for testing (e.g., Dodo).
On 01/10/18 20:09, Doug Beattie wrote:
Thanks Wayne.
Rob, Adriano : I had no idea that crt.sh included logs that supported
test roots or roots that weren’t in some/all root programs. I assumed
these were all production level roots that needed to comply with the
BRs. Thanks for that tid-bit!
Alex: I’ll keep an eye on https://misissued.com and use that as a
better, more filtered report once it returns to life.
Doug
*From:*Wayne Thayer <wtha...@mozilla.com>
*Sent:* Monday, October 1, 2018 2:58 PM
*To:* Doug Beattie <doug.beat...@globalsign.com>
*Cc:* mozilla-dev-security-policy
<mozilla-dev-security-pol...@lists.mozilla.org>
*Subject:* Re: Increasing number of Errors found in crt.sh
Doug,
Responding to your original question, I look at crt.sh and other data
sources for certificate errors when reviewing inclusion requests or
doing other sorts of investigations. I am not currently reviewing the
crt.sh report for misissuance on a regular basis, but maybe I should.
I went through the current list and identified the following problems
affecting certificates trusted by Mozilla:
* KIR S.A.: Multiple issues -
https://bugzilla.mozilla.org/show_bug.cgi?id=1495497
* Government of Spain FNMT: OU exceeds 64 characters -
https://bugzilla.mozilla.org/show_bug.cgi?id=1495507
* Assecco DS (Certum): Unallowed key usage for EC public key -
https://bugzilla.mozilla.org/show_bug.cgi?id=1495518
* Certinomis: issued & revoked a precertificate containing a SAN of
'www', didn't report it -
https://bugzilla.mozilla.org/show_bug.cgi?id=1495524
- Wayne
On Mon, Oct 1, 2018 at 8:51 AM Rob Stradling via dev-security-policy
<dev-security-policy@lists.mozilla.org
<mailto:dev-security-policy@lists.mozilla.org>> wrote:
Hi Iñigo.
I suspect it's because my script that produces the 1 week summary data
[1] isn't using a consistent view of the underlying linting results
throughout its processing. Hopefully this [2] will fix it.
100% errors from that Comodo issuing CA is because it's issuing SHA-1
certs that chain to a no-longer-publicly-trusted root.
[1]
https://github.com/crtsh/certwatch_db/blob/master/lint_update_1week_stats.sql
[2]
https://github.com/crtsh/certwatch_db/commit/8ce0c96c9c50bfb51db33c6f44c9c1d1a9f5a96c
On 01/10/2018 15:35, Inigo Barreira wrote:
> And checking this site, how can Comodo have more certs with
errors (15030) than certs issued (15020).
>
> Regards
> ________________________________________
> From: dev-security-policy
<dev-security-policy-boun...@lists.mozilla.org
<mailto:dev-security-policy-boun...@lists.mozilla.org>> on behalf of
Adriano Santoni via dev-security-policy
<dev-security-policy@lists.mozilla.org
<mailto:dev-security-policy@lists.mozilla.org>>
> Sent: Monday, October 01, 2018 10:09 PM
> To: Rob Stradling; Doug Beattie
> Cc: mozilla-dev-security-policy
> Subject: Re: Increasing number of Errors found in crt.sh
>
> I also agree.
>
> As I said before, that's a non-trusted certificate. It was issued
by a
> test CA that does /not/ chain to a public root.
>
>
> Il 01/10/2018 16:04, Rob Stradling ha scritto:
>> On 01/10/2018 15:02, Doug Beattie via dev-security-policy wrote:
>>> Hi Adriano,
>>>
>>> First, I didn't mean to call you out specifically, but you happened
>>> to be
>>> first alphabetically, sorry. I find this link very helpful to list
>>> all CAs
>>> with errors or warnings: https://crt.sh/?cablint=1+week
>>>
>>> Second, How do you define a "test CA"? I thought that any CA that
>>> chains to
>>> a public root was by definition not a test CA,
>>
>> I agree with that.
>>
>>> and since the issued cert was
>>> in CT logs, I assumed that your root was publicly trusted.
Maybe I'm
>>> mistaken on one of these points
>>
>> Actually, some non-publicly-trusted roots are accepted by some
of the
>> logs that crt.sh monitors.
>>
>>> Doug
>>>
>>> -----Original Message-----
>>> From: dev-security-policy
>>> <dev-security-policy-boun...@lists.mozilla.org
<mailto:dev-security-policy-boun...@lists.mozilla.org>> On
>>> Behalf Of Adriano Santoni via dev-security-policy
>>> Sent: Monday, October 1, 2018 9:49 AM
>>> To: dev-security-policy@lists.mozilla.org
<mailto:dev-security-policy@lists.mozilla.org>
>>> Subject: Re: Increasing number of Errors found in crt.sh
>>>
>>> Thank you Rob!
>>>
>>> If I am not mistaken, it seems to me that we have just 1
certificate
>>> in that
>>> list, and it's a non-trusted certificate (it was issued by a
test CA).
>>>
>>>
>>> Il 01/10/2018 15:43, Rob Stradling via dev-security-policy ha
scritto:
>>>> On 01/10/2018 14:38, Adriano Santoni via dev-security-policy
wrote:
>>>>> Is it possible to filter the list https://crt.sh/?cablint=issues
>>>>> based on the issuing CA ?
>>>>
>>>> Yes.
>>>>
>>>> First, visit this page:
>>>> https://crt.sh/?cablint=1+week
>>>>
>>>> Next, click on the link in the "Issuer CN, OU or O" column that
>>>> corresponds to the issuing CA you're interested in.
>>>>
>>>>> Il 01/10/2018 15:26, Doug Beattie via dev-security-policy ha
scritto:
>>>>>> Hi Wayne and all,
>>>>>>
>>>>>>
>>>>>> I've been noticing an increasing number of CA errors,
>>>>>> https://crt.sh/?cablint=issues Is anyone monitoring this
list and
>>>>>> asking
>>>>>> for misissuance reports for those that are not compliant? There
>>>>>> are 15
>>>>>> different errors and around 300 individual errors (excluding the
>>>>>> SHA-1
>>>>>> "false" errors). Some CAs are issuing certs to CNs of
localhost, are
>>>>>> including RFC822 SANs, not including OCSP links and many more.
>>>>>>
>>>>>> - Actalis,
>>>>>>
>>>>>> - Digicert,
>>>>>>
>>>>>> - Microsoft,
>>>>>>
>>>>>> -
>>>>>>
>>>>>>
>>>>>> There are also some warning checks that should actually be
errors
>>>>>> like
>>>>>> underscores in CNs or SANs.
>>>>>>
>>>>>>
>>>>>> Doug
>>
--
Rob Stradling
Senior Research & Development Scientist
Email: r...@comodoca.com
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy