crt.sh deliberately doesn't monitor any of Google's dedicated test logs
(Testtube, Crucible, Solera20XX), but it does monitor some multi-purpose
logs that are sometimes used for testing (e.g., Dodo).
On 01/10/18 20:09, Doug Beattie wrote:
Thanks Wayne.
Rob, Adriano : I had no idea that crt.sh
Thanks Wayne.
Rob, Adriano : I had no idea that crt.sh included logs that supported test
roots or roots that weren’t in some/all root programs. I assumed these were
all production level roots that needed to comply with the BRs. Thanks for that
tid-bit!
Alex: I’ll keep an eye on https:/
Doug,
Responding to your original question, I look at crt.sh and other data
sources for certificate errors when reviewing inclusion requests or doing
other sorts of investigations. I am not currently reviewing the crt.sh
report for misissuance on a regular basis, but maybe I should.
I went throug
On Mon, Oct 1, 2018 at 9:21 AM Dimitris Zacharopoulos
wrote:
> No, this was not about the domain name but about the information displayed
> to the Relying Party with the attributes included in the OV/EV Certificate
> (primarily the Organization). So, I'm still uncertain if Ian's "misleading
> str
Hi Iñigo.
I suspect it's because my script that produces the 1 week summary data
[1] isn't using a consistent view of the underlying linting results
throughout its processing. Hopefully this [2] will fix it.
100% errors from that Comodo issuing CA is because it's issuing SHA-1
certs that ch
Wayne,
I confirm that the only change following this investment is the update of the
overview chapter.
Best regards,
Yves
From: Wayne Thayer [mailto:wtha...@mozilla.com]
Sent: 28 September 2018 21:19
To: Yves Nullens
Cc: mozilla-dev-security-policy
Subject: Re: InfoCert investment in LuxTrust
Yeah, it would be good to make it possible to filter
https://crt.sh/?cablint=1+week by trust context.
On 01/10/2018 15:07, Alex Gaynor wrote:
A broader issue is that a lot of the certs listed on these pages are
publicly-trusted, but not by the Mozilla Root Program, that is to say,
Microsoft or
And checking this site, how can Comodo have more certs with errors (15030) than
certs issued (15020).
Regards
From: dev-security-policy on
behalf of Adriano Santoni via dev-security-policy
Sent: Monday, October 01, 2018 10:09 PM
To: Rob Stradling; Dou
I also agree.
As I said before, that's a non-trusted certificate. It was issued by a
test CA that does /not/ chain to a public root.
Il 01/10/2018 16:04, Rob Stradling ha scritto:
On 01/10/2018 15:02, Doug Beattie via dev-security-policy wrote:
Hi Adriano,
First, I didn't mean to call you
A broader issue is that a lot of the certs listed on these pages are
publicly-trusted, but not by the Mozilla Root Program, that is to say,
Microsoft or Apple (or occasionally Adobe) trusts them.
misissued.com (which is currently erroring on all requests 😬) tried to
address this by only showing c
On 01/10/2018 15:02, Doug Beattie via dev-security-policy wrote:
Hi Adriano,
First, I didn't mean to call you out specifically, but you happened to be
first alphabetically, sorry. I find this link very helpful to list all CAs
with errors or warnings: https://crt.sh/?cablint=1+week
Second, How
Getting the whitelist figured out and workable will take a while. Disclosure
could happen much faster.
And I’m curious why you think it would be unauditable. It seems
pretty straightforward to verify such disclosures.
It think both ideas are worth considering. There’s no reason we hav
Hi Adriano,
First, I didn't mean to call you out specifically, but you happened to be
first alphabetically, sorry. I find this link very helpful to list all CAs
with errors or warnings: https://crt.sh/?cablint=1+week
Second, How do you define a "test CA"? I thought that any CA that chains to
a
On 01/10/2018 14:48, Adriano Santoni via dev-security-policy wrote:
Thank you Rob!
If I am not mistaken, it seems to me that we have just 1 certificate in
that list, and it's a non-trusted certificate (it was issued by a test CA).
For certs issued (and logged) within the last 1 week, yes, tha
Thank you Rob!
If I am not mistaken, it seems to me that we have just 1 certificate in
that list, and it's a non-trusted certificate (it was issued by a test CA).
Il 01/10/2018 15:43, Rob Stradling via dev-security-policy ha scritto:
On 01/10/2018 14:38, Adriano Santoni via dev-security-poli
On 01/10/2018 14:38, Adriano Santoni via dev-security-policy wrote:
Is it possible to filter the list https://crt.sh/?cablint=issues based
on the issuing CA ?
Yes.
First, visit this page:
https://crt.sh/?cablint=1+week
Next, click on the link in the "Issuer CN, OU or O" column that
correspon
Is it possible to filter the list https://crt.sh/?cablint=issues based
on the issuing CA ?
Il 01/10/2018 15:26, Doug Beattie via dev-security-policy ha scritto:
Hi Wayne and all,
I've been noticing an increasing number of CA errors,
https://crt.sh/?cablint=issues Is anyone monitoring thi
That last email got away from me before I finished compiling the list, but
you get the idea.
-Original Message-
From: dev-security-policy On
Behalf Of Doug Beattie via dev-security-policy
Sent: Monday, October 1, 2018 9:27 AM
To: mozilla-dev-security-policy
Subject: Increasing number of
Hi Wayne and all,
I've been noticing an increasing number of CA errors,
https://crt.sh/?cablint=issues Is anyone monitoring this list and asking
for misissuance reports for those that are not compliant? There are 15
different errors and around 300 individual errors (excluding the SHA-1
"false
On 1/10/2018 1:06 μμ, Ryan Sleevi via dev-security-policy wrote:
On Mon, Oct 1, 2018 at 2:55 AM Dimitris Zacharopoulos
wrote:
Perhaps I am confusing different past discussions. If I recall correctly,
in previous discussions we described the case where an attacker tries to
get a certificate for
On Wed, Sep 26, 2018 at 07:36:57AM -0700, josselin.allemandou--- via
dev-security-policy wrote:
> Thank you for your exchanges. We hope that the additions below will answer
> your questions.
It appears that your response has removed most indications of what parts of
your message are my questions
On Mon, Oct 1, 2018 at 2:55 AM Dimitris Zacharopoulos
wrote:
> Perhaps I am confusing different past discussions. If I recall correctly,
> in previous discussions we described the case where an attacker tries to
> get a certificate for a company "Example Inc." with domain "example.com".
> This do
22 matches
Mail list logo