Hi We run on a public instance. We inform our CA ID in the option of "CA issuance investigator Query Settings" as well as choosing the other options available in the tool.
Thanks Em sexta-feira, 9 de dezembro de 2022 às 08:11:38 UTC-3, [email protected] escreveu: > > Can you confirm if you run your own instance or rely upon a public > instance? > > I don't run any instances of CACHECKER. AIUI, someone at Mozilla built > that tool, and the instance at > https://cachecker-dot-ccadb-231121.appspot.com/ is operated by Mozilla. > > CACHECKER relies on the public crt.sh database, which I built, and which > is operated by my employer (Sectigo). > > ------------------------------ > *From:* 'Kurt Seifried' via public <[email protected]> > *Sent:* 09 December 2022 03:52 > *To:* Rob Stradling <[email protected]> > *Cc:* public <[email protected]>; [email protected] < > [email protected]>; Charles Reiss <[email protected]>; > [email protected] <[email protected]>; Lucia Castelli < > [email protected]> > > *Subject:* Re: Public Discussion of SERPRO's CA Inclusion Request > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you recognize the sender and know > the content is safe. > > > > On Thu, Dec 8, 2022 at 12:46 PM Rob Stradling <[email protected]> wrote: > > > 1) What is CACHECKER exactly (a service? software?) > > Hi Kurt. > > An instance of the service is at > https://cachecker-dot-ccadb-231121.appspot.com/ > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcachecker-dot-ccadb-231121.appspot.com%2F&data=05%7C01%7Crob%40sectigo.com%7C31187131fc0a4c27717808dad998defa%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638061547857022674%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2wzCSLoLoIRaMKGI9doNv2rOxMwwlDvgE9%2BCJFQ69gw%3D&reserved=0> > . > > Source code is at > https://github.com/mozilla/CCADB-Tools/tree/master/cacheck > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2FCCADB-Tools%2Ftree%2Fmaster%2Fcacheck&data=05%7C01%7Crob%40sectigo.com%7C31187131fc0a4c27717808dad998defa%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638061547857022674%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=MF3BGnaK9lnA%2F9yAhnvYJdncg82EOINGlGx1ghcznk0%3D&reserved=0>, > > AIUI. > > > > Can you confirm if you run your own instance or rely upon a public > instance? > > > It's an alternative web UI for viewing crt.sh's cached certificate linting > results. Whereas the crt.sh web UI currently only considers each CA > (Name/Key) separately, CACHECKER is able to iterate through all of the > Sub-CAs, Sub-Sub-CAs, etc below the target CA, and then summarize all of > the linting issues in one table. > > ------------------------------ > *From:* 'Kurt Seifried' via public <[email protected]> > *Sent:* 08 December 2022 17:20 > *To:* Lucia Castelli <[email protected]> > *Cc:* public <[email protected]>; [email protected] < > [email protected]>; Charles Reiss <[email protected]>; > [email protected] <[email protected]> > *Subject:* Re: Public Discussion of SERPRO's CA Inclusion Request > > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you recognize the sender and know > the content is safe. > > > > On Thu, Dec 8, 2022 at 7:57 AM Lucia Castelli <[email protected]> wrote: > > Now I understand better. Thanks for rephrasing the question. > What happened was that we started using the CACHECKER "first" instead of > waiting for the Root CA to be alerted to wrong certificates. > We always aim to only use CA SSL/TLS software in compliance with BR SSL > requirements. > > > 1) What is CACHECKER exactly (a service? software?) > > 2) How were you validating control of the DNS domains if you weren't > ensuring you were only issuing certificates to DNS names? Because you > issued many certificates to urls, single names and so on spanning months. > > > > > We understand that we need to respect the rules about the time for > revocation, and we started intensify this issue even more if we are > accepted in root programs. > Well, as I read the bugzillas daily, I see that even today there are still > CAs, that are in the program, and also have problems, keeping the > revocation time within the rules. > > > So to confirm: you're promising to do better once accepted into the root > program? But you're not willing to show that you can and will do this prior > to being accepted? > > > We assume that we have rules to resolve issues and not remain impartial. > Thanks about your question.l > > Em quinta-feira, 8 de dezembro de 2022 às 11:48:38 UTC-3, > [email protected] escreveu: > > Hello: > > regarding this: > > > > 2 - As I explained earlier, we had problems with the SAN of all these > certificates, alerted by Mozilla to our Root CA, as the Root CA rules > overlapped the BR SSL rules. > > Unfortunately, due to the very large number of certificates, it was not > possible to fulfill what is expected(24 hours timeline), both from the BR > SSL regulations and what we reflect in our regulations (CPS). > > These revocations, unfortunately, lasted much longer than expected. > > We understand that we would not, yet, be infringing the rules, because our > certificate is not in the Mozilla program. > > I suppose my question is what specific operational changes have been made > on your side since then so that the inability to fulfill the baseline > requirements won't remain an issue were you to be part of Mozilla's program? > > > -- > You received this message because you are subscribed to the Google Groups > "public" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/ccadb.org/d/msgid/public/63ca387d-fcd3-44b3-9838-fdca227134f6n%40ccadb.org > > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fccadb.org%2Fd%2Fmsgid%2Fpublic%2F63ca387d-fcd3-44b3-9838-fdca227134f6n%2540ccadb.org%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crob%40sectigo.com%7C31187131fc0a4c27717808dad998defa%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638061547857022674%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9BZHP9lpW%2BlwitOYAy7iEHFTb6UrT%2B%2BPx7dUo7N%2B680%3D&reserved=0> > . > > > > -- > Kurt Seifried (He/Him) > [email protected] > > -- > You received this message because you are subscribed to the Google Groups > "public" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/ccadb.org/d/msgid/public/CABqVa39KWyBW1EEdV1KMbk4TmKOj%3D1ob2zjiW45269O2cfdiLw%40mail.gmail.com > > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fccadb.org%2Fd%2Fmsgid%2Fpublic%2FCABqVa39KWyBW1EEdV1KMbk4TmKOj%253D1ob2zjiW45269O2cfdiLw%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crob%40sectigo.com%7C31187131fc0a4c27717808dad998defa%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638061547857022674%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=k%2FUkyS%2BFJquCGqJqqWZyLZbDnHuw7muqADBTh96B1Og%3D&reserved=0> > . > > > > -- > Kurt Seifried (He/Him) > [email protected] > > -- > You received this message because you are subscribed to the Google Groups > "public" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/ccadb.org/d/msgid/public/CABqVa38qGs%3DcjQQGNodW1ssy%2BStsJupQ1Hxp4-v-iF6U%2BmRi4Q%40mail.gmail.com > > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fccadb.org%2Fd%2Fmsgid%2Fpublic%2FCABqVa38qGs%253DcjQQGNodW1ssy%252BStsJupQ1Hxp4-v-iF6U%252BmRi4Q%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crob%40sectigo.com%7C31187131fc0a4c27717808dad998defa%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638061547857022674%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OAiWkNVwj7doeALARMX90B%2B7Ij1CC3c1iPcdxVWmb78%3D&reserved=0> > . > -- You received this message because you are subscribed to the Google Groups "public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/1694875e-3a60-4ecb-b827-2ea740438456n%40ccadb.org.
