Re: Discovering unlogged certificates in internet-wide scans

2018-04-12 Thread Tim Smith via dev-security-policy
Hi Stephen, Thank you for the correction; I regret the error. On Tue, Apr 10, 2018 at 8:12 AM Stephen Davidson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > These certificates are compliant with the BR and contain the required > extKeyUsage values for both

Re: Discovering unlogged certificates in internet-wide scans

2018-04-09 Thread Tim Smith via dev-security-policy
On Mon, Apr 9, 2018 at 9:46 AM Daymion Reynolds via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > As an FYI only: > > We did review the one cert cited below for term length. The certificate > was issued in 2013 before the current max term duration was defined. This > cert

Re: Discovering unlogged certificates in internet-wide scans

2018-03-31 Thread Tim Smith via dev-security-policy
On Sat, Mar 31, 2018 at 6:28 PM, Michael Casadevall via dev-security-policy wrote: > Pretty interesting read, and always happy to see more information go > into CT. One thing I couldn't divine from your data was how did you look > for non-HTTPS services? Did

Re: Discovering unlogged certificates in internet-wide scans

2018-03-31 Thread Tim Smith via dev-security-policy
On Sat, Mar 31, 2018 at 3:26 PM, Kurt Roeckx wrote: > Have you done the for their other scans? I haven't. The Rapid7 HTTPS corpus is much larger; I'm not sure my approach will scale that far and I imagine the new discovery rate will be lower. Censys has been interested in

Discovering unlogged certificates in internet-wide scans

2018-03-31 Thread Tim Smith via dev-security-policy
Hi MDSP, I went looking for corpuses of certificates that may not have been previously logged to CT and found some in the Rapid7 "More SSL" dataset, which captures certificates from their scans of non-HTTPS ports for TLS-speaking services. I wrote up some findings at

Re: Public trust of VISA's CA

2018-02-14 Thread Tim Smith via dev-security-policy
On Wednesday, February 14, 2018 at 8:43:19 AM UTC-8, Wayne Thayer wrote: > In this particular case, my conclusion is that the existing Mozilla > process is working. We have documented a number of issues that when > considered in aggregate warrant an investigation. Hi Wayne, Forgive me if I'm