Census validation is in general very loose in terms of what in chains it will accept. It uses the verifier in ZCrypto (same as ZLint), and mostly only checks names and signatures.
On Sun, Apr 21, 2024, 8:48 PM Matt Palmer <[email protected]> wrote: > On Sun, Apr 21, 2024 at 03:11:13PM -0700, 'Amir Omidi (aaomidi)' via > [email protected] wrote: > > I came across an interesting certificate today: > > https://crt.sh/?id=2385087905 > > > > According to Censys, this certificate is publicly trusted on of the > major > > root programs. > > > > This certificate has a very long lifetime, and just seems to be *weird* > in > > a lot of ways. Are these types of certificates okay to issue from a > > publicly trusted roots/intermediates? > > It *may* fall under the "this isn't a server certificate" exception, and > given that it was seemingly issued in 2017 (although it may have been > issued > in 2020 and backdated, based on the SCT), many of the current rules around > what > constitutes "valid for server authentication" may not apply in any case. > > > It does seem that the issuer has been revoked on Mozilla per crt: > > https://crt.sh/?caid=74630 > > Well, in that case, there's not much that Mozilla could do anyway. > > - Matt > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/231e6ab3-f260-4056-b5e8-0be3e8fd0572%40mtasv.net > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAGkh42KN%3DzGdbZF8rT-6fB9Mo3LjnSVdu4NVNv3Pi4pUhcXJmA%40mail.gmail.com.
