Re: Increasing number of Errors found in crt.sh
On 01/10/2018 16:51, Rob Stradling via dev-security-policy wrote: Hi Iñigo. I suspect it's because my script that produces the 1 week summary data [1] isn't using a consistent view of the underlying linting results throughout its processing. Hopefully this [2] will fix it. Doh. [2] was ineffective. I'll have another look at this sometime. 100% errors from that Comodo issuing CA is because it's issuing SHA-1 certs that chain to a no-longer-publicly-trusted root. [1] https://github.com/crtsh/certwatch_db/blob/master/lint_update_1week_stats.sql [2] https://github.com/crtsh/certwatch_db/commit/8ce0c96c9c50bfb51db33c6f44c9c1d1a9f5a96c On 01/10/2018 15:35, Inigo Barreira wrote: And checking this site, how can Comodo have more certs with errors (15030) than certs issued (15020). Regards From: dev-security-policy on behalf of Adriano Santoni via dev-security-policy Sent: Monday, October 01, 2018 10:09 PM To: Rob Stradling; Doug Beattie Cc: mozilla-dev-security-policy Subject: Re: Increasing number of Errors found in crt.sh I also agree. As I said before, that's a non-trusted certificate. It was issued by a test CA that does /not/ chain to a public root. Il 01/10/2018 16:04, Rob Stradling ha scritto: On 01/10/2018 15:02, Doug Beattie via dev-security-policy wrote: Hi Adriano, First, I didn't mean to call you out specifically, but you happened to be first alphabetically, sorry. I find this link very helpful to list all CAs with errors or warnings: https://crt.sh/?cablint=1+week Second, How do you define a "test CA"? I thought that any CA that chains to a public root was by definition not a test CA, I agree with that. and since the issued cert was in CT logs, I assumed that your root was publicly trusted. Maybe I'm mistaken on one of these points Actually, some non-publicly-trusted roots are accepted by some of the logs that crt.sh monitors. Doug -Original Message- From: dev-security-policy On Behalf Of Adriano Santoni via dev-security-policy Sent: Monday, October 1, 2018 9:49 AM To: dev-security-policy@lists.mozilla.org Subject: Re: Increasing number of Errors found in crt.sh Thank you Rob! If I am not mistaken, it seems to me that we have just 1 certificate in that list, and it's a non-trusted certificate (it was issued by a test CA). Il 01/10/2018 15:43, Rob Stradling via dev-security-policy ha scritto: On 01/10/2018 14:38, Adriano Santoni via dev-security-policy wrote: Is it possible to filter the list https://crt.sh/?cablint=issues based on the issuing CA ? Yes. First, visit this page: https://crt.sh/?cablint=1+week Next, click on the link in the "Issuer CN, OU or O" column that corresponds to the issuing CA you're interested in. Il 01/10/2018 15:26, Doug Beattie via dev-security-policy ha scritto: Hi Wayne and all, I've been noticing an increasing number of CA errors, https://crt.sh/?cablint=issues Is anyone monitoring this list and asking for misissuance reports for those that are not compliant? There are 15 different errors and around 300 individual errors (excluding the SHA-1 "false" errors). Some CAs are issuing certs to CNs of localhost, are including RFC822 SANs, not including OCSP links and many more. - Actalis, - Digicert, - Microsoft, - There are also some warning checks that should actually be errors like underscores in CNs or SANs. Doug -- Rob Stradling Senior Research & Development Scientist Email: r...@comodoca.com Bradford, UK Office: +441274730505 ComodoCA.com This message and any files associated with it may contain legally privileged, confidential, or proprietary information. If you are not the intended recipient, you are not permitted to use, copy, or forward it, in whole or in part without the express consent of the sender. Please notify the sender by reply email, disregard the foregoing messages, and delete it immediately. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Increasing number of Errors found in crt.sh
crt.sh deliberately doesn't monitor any of Google's dedicated test logs (Testtube, Crucible, Solera20XX), but it does monitor some multi-purpose logs that are sometimes used for testing (e.g., Dodo). On 01/10/18 20:09, Doug Beattie wrote: Thanks Wayne. Rob, Adriano : I had no idea that crt.sh included logs that supported test roots or roots that weren’t in some/all root programs. I assumed these were all production level roots that needed to comply with the BRs. Thanks for that tid-bit! Alex: I’ll keep an eye on https://misissued.com and use that as a better, more filtered report once it returns to life. Doug *From:*Wayne Thayer *Sent:* Monday, October 1, 2018 2:58 PM *To:* Doug Beattie *Cc:* mozilla-dev-security-policy *Subject:* Re: Increasing number of Errors found in crt.sh Doug, Responding to your original question, I look at crt.sh and other data sources for certificate errors when reviewing inclusion requests or doing other sorts of investigations. I am not currently reviewing the crt.sh report for misissuance on a regular basis, but maybe I should. I went through the current list and identified the following problems affecting certificates trusted by Mozilla: * KIR S.A.: Multiple issues - https://bugzilla.mozilla.org/show_bug.cgi?id=1495497 * Government of Spain FNMT: OU exceeds 64 characters - https://bugzilla.mozilla.org/show_bug.cgi?id=1495507 * Assecco DS (Certum): Unallowed key usage for EC public key - https://bugzilla.mozilla.org/show_bug.cgi?id=1495518 * Certinomis: issued & revoked a precertificate containing a SAN of 'www', didn't report it - https://bugzilla.mozilla.org/show_bug.cgi?id=1495524 - Wayne On Mon, Oct 1, 2018 at 8:51 AM Rob Stradling via dev-security-policy <mailto:dev-security-policy@lists.mozilla.org>> wrote: Hi Iñigo. I suspect it's because my script that produces the 1 week summary data [1] isn't using a consistent view of the underlying linting results throughout its processing. Hopefully this [2] will fix it. 100% errors from that Comodo issuing CA is because it's issuing SHA-1 certs that chain to a no-longer-publicly-trusted root. [1] https://github.com/crtsh/certwatch_db/blob/master/lint_update_1week_stats.sql [2] https://github.com/crtsh/certwatch_db/commit/8ce0c96c9c50bfb51db33c6f44c9c1d1a9f5a96c On 01/10/2018 15:35, Inigo Barreira wrote: > And checking this site, how can Comodo have more certs with errors (15030) than certs issued (15020). > > Regards > > From: dev-security-policy mailto:dev-security-policy-boun...@lists.mozilla.org>> on behalf of Adriano Santoni via dev-security-policy mailto:dev-security-policy@lists.mozilla.org>> > Sent: Monday, October 01, 2018 10:09 PM > To: Rob Stradling; Doug Beattie > Cc: mozilla-dev-security-policy > Subject: Re: Increasing number of Errors found in crt.sh > > I also agree. > > As I said before, that's a non-trusted certificate. It was issued by a > test CA that does /not/ chain to a public root. > > > Il 01/10/2018 16:04, Rob Stradling ha scritto: >> On 01/10/2018 15:02, Doug Beattie via dev-security-policy wrote: >>> Hi Adriano, >>> >>> First, I didn't mean to call you out specifically, but you happened >>> to be >>> first alphabetically, sorry. I find this link very helpful to list >>> all CAs >>> with errors or warnings: https://crt.sh/?cablint=1+week >>> >>> Second, How do you define a "test CA"? I thought that any CA that >>> chains to >>> a public root was by definition not a test CA, >> >> I agree with that. >> >>> and since the issued cert was >>> in CT logs, I assumed that your root was publicly trusted. Maybe I'm >>> mistaken on one of these points >> >> Actually, some non-publicly-trusted roots are accepted by some of the >> logs that crt.sh monitors. >> >>> Doug >>> >>> -Original Message- >>> From: dev-security-policy >>> mailto:dev-security-policy-boun...@lists.mozilla.org>> On >>> Behalf Of Adriano Santoni via dev-security-policy >>> Sent: Monday, October 1, 2018 9:49 AM >>> To: dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> >>> Subject: Re: Increasing number of Errors found in crt.sh >>> >>> Thank you Rob! >>> >>> If I am not mistaken, it see
RE: Increasing number of Errors found in crt.sh
Thanks Wayne. Rob, Adriano : I had no idea that crt.sh included logs that supported test roots or roots that weren’t in some/all root programs. I assumed these were all production level roots that needed to comply with the BRs. Thanks for that tid-bit! Alex: I’ll keep an eye on https://misissued.com and use that as a better, more filtered report once it returns to life. Doug From: Wayne Thayer Sent: Monday, October 1, 2018 2:58 PM To: Doug Beattie Cc: mozilla-dev-security-policy Subject: Re: Increasing number of Errors found in crt.sh Doug, Responding to your original question, I look at crt.sh and other data sources for certificate errors when reviewing inclusion requests or doing other sorts of investigations. I am not currently reviewing the crt.sh report for misissuance on a regular basis, but maybe I should. I went through the current list and identified the following problems affecting certificates trusted by Mozilla: * KIR S.A.: Multiple issues - https://bugzilla.mozilla.org/show_bug.cgi?id=1495497 * Government of Spain FNMT: OU exceeds 64 characters - https://bugzilla.mozilla.org/show_bug.cgi?id=1495507 * Assecco DS (Certum): Unallowed key usage for EC public key - https://bugzilla.mozilla.org/show_bug.cgi?id=1495518 * Certinomis: issued & revoked a precertificate containing a SAN of 'www', didn't report it - https://bugzilla.mozilla.org/show_bug.cgi?id=1495524 - Wayne On Mon, Oct 1, 2018 at 8:51 AM Rob Stradling via dev-security-policy mailto:dev-security-policy@lists.mozilla.org> > wrote: Hi Iñigo. I suspect it's because my script that produces the 1 week summary data [1] isn't using a consistent view of the underlying linting results throughout its processing. Hopefully this [2] will fix it. 100% errors from that Comodo issuing CA is because it's issuing SHA-1 certs that chain to a no-longer-publicly-trusted root. [1] https://github.com/crtsh/certwatch_db/blob/master/lint_update_1week_stats.sql [2] https://github.com/crtsh/certwatch_db/commit/8ce0c96c9c50bfb51db33c6f44c9c1d1a9f5a96c On 01/10/2018 15:35, Inigo Barreira wrote: > And checking this site, how can Comodo have more certs with errors (15030) > than certs issued (15020). > > Regards > > From: dev-security-policy <mailto:dev-security-policy-boun...@lists.mozilla.org> > on behalf of Adriano > Santoni via dev-security-policy <mailto:dev-security-policy@lists.mozilla.org> > > Sent: Monday, October 01, 2018 10:09 PM > To: Rob Stradling; Doug Beattie > Cc: mozilla-dev-security-policy > Subject: Re: Increasing number of Errors found in crt.sh > > I also agree. > > As I said before, that's a non-trusted certificate. It was issued by a > test CA that does /not/ chain to a public root. > > > Il 01/10/2018 16:04, Rob Stradling ha scritto: >> On 01/10/2018 15:02, Doug Beattie via dev-security-policy wrote: >>> Hi Adriano, >>> >>> First, I didn't mean to call you out specifically, but you happened >>> to be >>> first alphabetically, sorry. I find this link very helpful to list >>> all CAs >>> with errors or warnings: https://crt.sh/?cablint=1+week >>> >>> Second, How do you define a "test CA"? I thought that any CA that >>> chains to >>> a public root was by definition not a test CA, >> >> I agree with that. >> >>> and since the issued cert was >>> in CT logs, I assumed that your root was publicly trusted. Maybe I'm >>> mistaken on one of these points >> >> Actually, some non-publicly-trusted roots are accepted by some of the >> logs that crt.sh monitors. >> >>> Doug >>> >>> -Original Message- >>> From: dev-security-policy >>> >> <mailto:dev-security-policy-boun...@lists.mozilla.org> > On >>> Behalf Of Adriano Santoni via dev-security-policy >>> Sent: Monday, October 1, 2018 9:49 AM >>> To: dev-security-policy@lists.mozilla.org >>> <mailto:dev-security-policy@lists.mozilla.org> >>> Subject: Re: Increasing number of Errors found in crt.sh >>> >>> Thank you Rob! >>> >>> If I am not mistaken, it seems to me that we have just 1 certificate >>> in that >>> list, and it's a non-trusted certificate (it was issued by a test CA). >>> >>> >>> Il 01/10/2018 15:43, Rob Stradling via dev-security-policy ha scritto: >>>> On 01/10/2018 14:38, Adriano Santoni via dev-security-policy wrote: >>>>> Is it possible to filter the list https://crt.sh/?cablint=issues >>>>> based on the issuing CA ? >>>> >>>> Yes. >&g
Re: Increasing number of Errors found in crt.sh
Doug, Responding to your original question, I look at crt.sh and other data sources for certificate errors when reviewing inclusion requests or doing other sorts of investigations. I am not currently reviewing the crt.sh report for misissuance on a regular basis, but maybe I should. I went through the current list and identified the following problems affecting certificates trusted by Mozilla: * KIR S.A.: Multiple issues - https://bugzilla.mozilla.org/show_bug.cgi?id=1495497 * Government of Spain FNMT: OU exceeds 64 characters - https://bugzilla.mozilla.org/show_bug.cgi?id=1495507 * Assecco DS (Certum): Unallowed key usage for EC public key - https://bugzilla.mozilla.org/show_bug.cgi?id=1495518 * Certinomis: issued & revoked a precertificate containing a SAN of 'www', didn't report it - https://bugzilla.mozilla.org/show_bug.cgi?id=1495524 - Wayne On Mon, Oct 1, 2018 at 8:51 AM Rob Stradling via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi Iñigo. > > I suspect it's because my script that produces the 1 week summary data > [1] isn't using a consistent view of the underlying linting results > throughout its processing. Hopefully this [2] will fix it. > > 100% errors from that Comodo issuing CA is because it's issuing SHA-1 > certs that chain to a no-longer-publicly-trusted root. > > > [1] > > https://github.com/crtsh/certwatch_db/blob/master/lint_update_1week_stats.sql > > [2] > > https://github.com/crtsh/certwatch_db/commit/8ce0c96c9c50bfb51db33c6f44c9c1d1a9f5a96c > > On 01/10/2018 15:35, Inigo Barreira wrote: > > And checking this site, how can Comodo have more certs with errors > (15030) than certs issued (15020). > > > > Regards > > > > From: dev-security-policy > on behalf of Adriano Santoni via dev-security-policy < > dev-security-policy@lists.mozilla.org> > > Sent: Monday, October 01, 2018 10:09 PM > > To: Rob Stradling; Doug Beattie > > Cc: mozilla-dev-security-policy > > Subject: Re: Increasing number of Errors found in crt.sh > > > > I also agree. > > > > As I said before, that's a non-trusted certificate. It was issued by a > > test CA that does /not/ chain to a public root. > > > > > > Il 01/10/2018 16:04, Rob Stradling ha scritto: > >> On 01/10/2018 15:02, Doug Beattie via dev-security-policy wrote: > >>> Hi Adriano, > >>> > >>> First, I didn't mean to call you out specifically, but you happened > >>> to be > >>> first alphabetically, sorry. I find this link very helpful to list > >>> all CAs > >>> with errors or warnings: https://crt.sh/?cablint=1+week > >>> > >>> Second, How do you define a "test CA"? I thought that any CA that > >>> chains to > >>> a public root was by definition not a test CA, > >> > >> I agree with that. > >> > >>> and since the issued cert was > >>> in CT logs, I assumed that your root was publicly trusted. Maybe I'm > >>> mistaken on one of these points > >> > >> Actually, some non-publicly-trusted roots are accepted by some of the > >> logs that crt.sh monitors. > >> > >>> Doug > >>> > >>> -Original Message- > >>> From: dev-security-policy > >>> On > >>> Behalf Of Adriano Santoni via dev-security-policy > >>> Sent: Monday, October 1, 2018 9:49 AM > >>> To: dev-security-policy@lists.mozilla.org > >>> Subject: Re: Increasing number of Errors found in crt.sh > >>> > >>> Thank you Rob! > >>> > >>> If I am not mistaken, it seems to me that we have just 1 certificate > >>> in that > >>> list, and it's a non-trusted certificate (it was issued by a test CA). > >>> > >>> > >>> Il 01/10/2018 15:43, Rob Stradling via dev-security-policy ha scritto: > >>>> On 01/10/2018 14:38, Adriano Santoni via dev-security-policy wrote: > >>>>> Is it possible to filter the list https://crt.sh/?cablint=issues > >>>>> based on the issuing CA ? > >>>> > >>>> Yes. > >>>> > >>>> First, visit this page: > >>>> https://crt.sh/?cablint=1+week > >>>> > >>>> Next, click on the link in the "Issuer CN, OU or O" column that > >>>> corresponds to the issuing CA you're interested in. > >>>> > >>>>> Il 01/10/2018 15:26, Doug Beattie via dev-security-policy ha scritto: > &g
Re: Increasing number of Errors found in crt.sh
Hi Iñigo. I suspect it's because my script that produces the 1 week summary data [1] isn't using a consistent view of the underlying linting results throughout its processing. Hopefully this [2] will fix it. 100% errors from that Comodo issuing CA is because it's issuing SHA-1 certs that chain to a no-longer-publicly-trusted root. [1] https://github.com/crtsh/certwatch_db/blob/master/lint_update_1week_stats.sql [2] https://github.com/crtsh/certwatch_db/commit/8ce0c96c9c50bfb51db33c6f44c9c1d1a9f5a96c On 01/10/2018 15:35, Inigo Barreira wrote: And checking this site, how can Comodo have more certs with errors (15030) than certs issued (15020). Regards From: dev-security-policy on behalf of Adriano Santoni via dev-security-policy Sent: Monday, October 01, 2018 10:09 PM To: Rob Stradling; Doug Beattie Cc: mozilla-dev-security-policy Subject: Re: Increasing number of Errors found in crt.sh I also agree. As I said before, that's a non-trusted certificate. It was issued by a test CA that does /not/ chain to a public root. Il 01/10/2018 16:04, Rob Stradling ha scritto: On 01/10/2018 15:02, Doug Beattie via dev-security-policy wrote: Hi Adriano, First, I didn't mean to call you out specifically, but you happened to be first alphabetically, sorry. I find this link very helpful to list all CAs with errors or warnings: https://crt.sh/?cablint=1+week Second, How do you define a "test CA"? I thought that any CA that chains to a public root was by definition not a test CA, I agree with that. and since the issued cert was in CT logs, I assumed that your root was publicly trusted. Maybe I'm mistaken on one of these points Actually, some non-publicly-trusted roots are accepted by some of the logs that crt.sh monitors. Doug -Original Message- From: dev-security-policy On Behalf Of Adriano Santoni via dev-security-policy Sent: Monday, October 1, 2018 9:49 AM To: dev-security-policy@lists.mozilla.org Subject: Re: Increasing number of Errors found in crt.sh Thank you Rob! If I am not mistaken, it seems to me that we have just 1 certificate in that list, and it's a non-trusted certificate (it was issued by a test CA). Il 01/10/2018 15:43, Rob Stradling via dev-security-policy ha scritto: On 01/10/2018 14:38, Adriano Santoni via dev-security-policy wrote: Is it possible to filter the list https://crt.sh/?cablint=issues based on the issuing CA ? Yes. First, visit this page: https://crt.sh/?cablint=1+week Next, click on the link in the "Issuer CN, OU or O" column that corresponds to the issuing CA you're interested in. Il 01/10/2018 15:26, Doug Beattie via dev-security-policy ha scritto: Hi Wayne and all, I've been noticing an increasing number of CA errors, https://crt.sh/?cablint=issues Is anyone monitoring this list and asking for misissuance reports for those that are not compliant? There are 15 different errors and around 300 individual errors (excluding the SHA-1 "false" errors). Some CAs are issuing certs to CNs of localhost, are including RFC822 SANs, not including OCSP links and many more. - Actalis, - Digicert, - Microsoft, - There are also some warning checks that should actually be errors like underscores in CNs or SANs. Doug -- Rob Stradling Senior Research & Development Scientist Email: r...@comodoca.com Bradford, UK Office: +441274730505 ComodoCA.com This message and any files associated with it may contain legally privileged, confidential, or proprietary information. If you are not the intended recipient, you are not permitted to use, copy, or forward it, in whole or in part without the express consent of the sender. Please notify the sender by reply email, disregard the foregoing messages, and delete it immediately. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Increasing number of Errors found in crt.sh
Yeah, it would be good to make it possible to filter https://crt.sh/?cablint=1+week by trust context. On 01/10/2018 15:07, Alex Gaynor wrote: A broader issue is that a lot of the certs listed on these pages are publicly-trusted, but not by the Mozilla Root Program, that is to say, Microsoft or Apple (or occasionally Adobe) trusts them. misissued.com <http://misissued.com> (which is currently erroring on all requests ) tried to address this by only showing certificates from CA's in the Mozilla Root Program, since that's the extent of our jurisdiction (and CA's applying for inclusion, which in some cases are ones which have a history of non-compliance under other root programs, but there's no way to programatically tell if a CA is applying for inclusion). Alex On Mon, Oct 1, 2018 at 10:05 AM Rob Stradling via dev-security-policy <mailto:dev-security-policy@lists.mozilla.org>> wrote: On 01/10/2018 15:02, Doug Beattie via dev-security-policy wrote: > Hi Adriano, > > First, I didn't mean to call you out specifically, but you happened to be > first alphabetically, sorry. I find this link very helpful to list all CAs > with errors or warnings: https://crt.sh/?cablint=1+week > > Second, How do you define a "test CA"? I thought that any CA that chains to > a public root was by definition not a test CA, I agree with that. > and since the issued cert was > in CT logs, I assumed that your root was publicly trusted. Maybe I'm > mistaken on one of these points Actually, some non-publicly-trusted roots are accepted by some of the logs that crt.sh monitors. > Doug > > -Original Message- > From: dev-security-policy mailto:dev-security-policy-boun...@lists.mozilla.org>> On > Behalf Of Adriano Santoni via dev-security-policy > Sent: Monday, October 1, 2018 9:49 AM > To: dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> > Subject: Re: Increasing number of Errors found in crt.sh > > Thank you Rob! > > If I am not mistaken, it seems to me that we have just 1 certificate in that > list, and it's a non-trusted certificate (it was issued by a test CA). > > > Il 01/10/2018 15:43, Rob Stradling via dev-security-policy ha scritto: >> On 01/10/2018 14:38, Adriano Santoni via dev-security-policy wrote: >>> Is it possible to filter the list https://crt.sh/?cablint=issues >>> based on the issuing CA ? >> >> Yes. >> >> First, visit this page: >> https://crt.sh/?cablint=1+week >> >> Next, click on the link in the "Issuer CN, OU or O" column that >> corresponds to the issuing CA you're interested in. >> >>> Il 01/10/2018 15:26, Doug Beattie via dev-security-policy ha scritto: >>>> Hi Wayne and all, >>>> >>>> >>>> I've been noticing an increasing number of CA errors, >>>> https://crt.sh/?cablint=issues Is anyone monitoring this list and >>>> asking >>>> for misissuance reports for those that are not compliant? There are 15 >>>> different errors and around 300 individual errors (excluding the SHA-1 >>>> "false" errors). Some CAs are issuing certs to CNs of localhost, are >>>> including RFC822 SANs, not including OCSP links and many more. >>>> >>>> - Actalis, >>>> >>>> - Digicert, >>>> >>>> - Microsoft, >>>> >>>> - >>>> >>>> >>>> There are also some warning checks that should actually be errors like >>>> underscores in CNs or SANs. >>>> >>>> >>>> Doug -- Rob Stradling Senior Research & Development Scientist Email: r...@comodoca.com ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy -- Rob Stradling Senior Research & Development Scientist Email: r...@comodoca.com Bradford, UK Office: +441274730505 ComodoCA.com This message and any files associated with it may contain legally privileged, confidential, or proprietary information. If you are not the intended recipient, you are not permitted to use, copy, or forward it, in whole or in part without the express consent of the sender. Please notify the sender by reply email, disregard the foregoing messages, and delete it immediately. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Increasing number of Errors found in crt.sh
And checking this site, how can Comodo have more certs with errors (15030) than certs issued (15020). Regards From: dev-security-policy on behalf of Adriano Santoni via dev-security-policy Sent: Monday, October 01, 2018 10:09 PM To: Rob Stradling; Doug Beattie Cc: mozilla-dev-security-policy Subject: Re: Increasing number of Errors found in crt.sh I also agree. As I said before, that's a non-trusted certificate. It was issued by a test CA that does /not/ chain to a public root. Il 01/10/2018 16:04, Rob Stradling ha scritto: > On 01/10/2018 15:02, Doug Beattie via dev-security-policy wrote: >> Hi Adriano, >> >> First, I didn't mean to call you out specifically, but you happened >> to be >> first alphabetically, sorry. I find this link very helpful to list >> all CAs >> with errors or warnings: https://crt.sh/?cablint=1+week >> >> Second, How do you define a "test CA"? I thought that any CA that >> chains to >> a public root was by definition not a test CA, > > I agree with that. > >> and since the issued cert was >> in CT logs, I assumed that your root was publicly trusted. Maybe I'm >> mistaken on one of these points > > Actually, some non-publicly-trusted roots are accepted by some of the > logs that crt.sh monitors. > >> Doug >> >> -Original Message- >> From: dev-security-policy >> On >> Behalf Of Adriano Santoni via dev-security-policy >> Sent: Monday, October 1, 2018 9:49 AM >> To: dev-security-policy@lists.mozilla.org >> Subject: Re: Increasing number of Errors found in crt.sh >> >> Thank you Rob! >> >> If I am not mistaken, it seems to me that we have just 1 certificate >> in that >> list, and it's a non-trusted certificate (it was issued by a test CA). >> >> >> Il 01/10/2018 15:43, Rob Stradling via dev-security-policy ha scritto: >>> On 01/10/2018 14:38, Adriano Santoni via dev-security-policy wrote: >>>> Is it possible to filter the list https://crt.sh/?cablint=issues >>>> based on the issuing CA ? >>> >>> Yes. >>> >>> First, visit this page: >>> https://crt.sh/?cablint=1+week >>> >>> Next, click on the link in the "Issuer CN, OU or O" column that >>> corresponds to the issuing CA you're interested in. >>> >>>> Il 01/10/2018 15:26, Doug Beattie via dev-security-policy ha scritto: >>>>> Hi Wayne and all, >>>>> >>>>> >>>>> I've been noticing an increasing number of CA errors, >>>>> https://crt.sh/?cablint=issues Is anyone monitoring this list and >>>>> asking >>>>> for misissuance reports for those that are not compliant? There >>>>> are 15 >>>>> different errors and around 300 individual errors (excluding the >>>>> SHA-1 >>>>> "false" errors). Some CAs are issuing certs to CNs of localhost, are >>>>> including RFC822 SANs, not including OCSP links and many more. >>>>> >>>>> - Actalis, >>>>> >>>>> - Digicert, >>>>> >>>>> - Microsoft, >>>>> >>>>> - >>>>> >>>>> >>>>> There are also some warning checks that should actually be errors >>>>> like >>>>> underscores in CNs or SANs. >>>>> >>>>> >>>>> Doug > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Increasing number of Errors found in crt.sh
I also agree. As I said before, that's a non-trusted certificate. It was issued by a test CA that does /not/ chain to a public root. Il 01/10/2018 16:04, Rob Stradling ha scritto: On 01/10/2018 15:02, Doug Beattie via dev-security-policy wrote: Hi Adriano, First, I didn't mean to call you out specifically, but you happened to be first alphabetically, sorry. I find this link very helpful to list all CAs with errors or warnings: https://crt.sh/?cablint=1+week Second, How do you define a "test CA"? I thought that any CA that chains to a public root was by definition not a test CA, I agree with that. and since the issued cert was in CT logs, I assumed that your root was publicly trusted. Maybe I'm mistaken on one of these points Actually, some non-publicly-trusted roots are accepted by some of the logs that crt.sh monitors. Doug -Original Message- From: dev-security-policy On Behalf Of Adriano Santoni via dev-security-policy Sent: Monday, October 1, 2018 9:49 AM To: dev-security-policy@lists.mozilla.org Subject: Re: Increasing number of Errors found in crt.sh Thank you Rob! If I am not mistaken, it seems to me that we have just 1 certificate in that list, and it's a non-trusted certificate (it was issued by a test CA). Il 01/10/2018 15:43, Rob Stradling via dev-security-policy ha scritto: On 01/10/2018 14:38, Adriano Santoni via dev-security-policy wrote: Is it possible to filter the list https://crt.sh/?cablint=issues based on the issuing CA ? Yes. First, visit this page: https://crt.sh/?cablint=1+week Next, click on the link in the "Issuer CN, OU or O" column that corresponds to the issuing CA you're interested in. Il 01/10/2018 15:26, Doug Beattie via dev-security-policy ha scritto: Hi Wayne and all, I've been noticing an increasing number of CA errors, https://crt.sh/?cablint=issues Is anyone monitoring this list and asking for misissuance reports for those that are not compliant? There are 15 different errors and around 300 individual errors (excluding the SHA-1 "false" errors). Some CAs are issuing certs to CNs of localhost, are including RFC822 SANs, not including OCSP links and many more. - Actalis, - Digicert, - Microsoft, - There are also some warning checks that should actually be errors like underscores in CNs or SANs. Doug smime.p7s Description: Firma crittografica S/MIME ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Increasing number of Errors found in crt.sh
A broader issue is that a lot of the certs listed on these pages are publicly-trusted, but not by the Mozilla Root Program, that is to say, Microsoft or Apple (or occasionally Adobe) trusts them. misissued.com (which is currently erroring on all requests ) tried to address this by only showing certificates from CA's in the Mozilla Root Program, since that's the extent of our jurisdiction (and CA's applying for inclusion, which in some cases are ones which have a history of non-compliance under other root programs, but there's no way to programatically tell if a CA is applying for inclusion). Alex On Mon, Oct 1, 2018 at 10:05 AM Rob Stradling via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 01/10/2018 15:02, Doug Beattie via dev-security-policy wrote: > > Hi Adriano, > > > > First, I didn't mean to call you out specifically, but you happened to be > > first alphabetically, sorry. I find this link very helpful to list all > CAs > > with errors or warnings: https://crt.sh/?cablint=1+week > > > > Second, How do you define a "test CA"? I thought that any CA that > chains to > > a public root was by definition not a test CA, > > I agree with that. > > > and since the issued cert was > > in CT logs, I assumed that your root was publicly trusted. Maybe I'm > > mistaken on one of these points > > Actually, some non-publicly-trusted roots are accepted by some of the > logs that crt.sh monitors. > > > Doug > > > > -Original Message- > > From: dev-security-policy > On > > Behalf Of Adriano Santoni via dev-security-policy > > Sent: Monday, October 1, 2018 9:49 AM > > To: dev-security-policy@lists.mozilla.org > > Subject: Re: Increasing number of Errors found in crt.sh > > > > Thank you Rob! > > > > If I am not mistaken, it seems to me that we have just 1 certificate in > that > > list, and it's a non-trusted certificate (it was issued by a test CA). > > > > > > Il 01/10/2018 15:43, Rob Stradling via dev-security-policy ha scritto: > >> On 01/10/2018 14:38, Adriano Santoni via dev-security-policy wrote: > >>> Is it possible to filter the list https://crt.sh/?cablint=issues > >>> based on the issuing CA ? > >> > >> Yes. > >> > >> First, visit this page: > >> https://crt.sh/?cablint=1+week > >> > >> Next, click on the link in the "Issuer CN, OU or O" column that > >> corresponds to the issuing CA you're interested in. > >> > >>> Il 01/10/2018 15:26, Doug Beattie via dev-security-policy ha scritto: > >>>> Hi Wayne and all, > >>>> > >>>> > >>>> I've been noticing an increasing number of CA errors, > >>>> https://crt.sh/?cablint=issues Is anyone monitoring this list and > >>>> asking > >>>> for misissuance reports for those that are not compliant? There are 15 > >>>> different errors and around 300 individual errors (excluding the SHA-1 > >>>> "false" errors). Some CAs are issuing certs to CNs of localhost, are > >>>> including RFC822 SANs, not including OCSP links and many more. > >>>> > >>>> - Actalis, > >>>> > >>>> - Digicert, > >>>> > >>>> - Microsoft, > >>>> > >>>> - > >>>> > >>>> > >>>> There are also some warning checks that should actually be errors like > >>>> underscores in CNs or SANs. > >>>> > >>>> > >>>> Doug > > -- > Rob Stradling > Senior Research & Development Scientist > Email: r...@comodoca.com > > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Increasing number of Errors found in crt.sh
On 01/10/2018 15:02, Doug Beattie via dev-security-policy wrote: Hi Adriano, First, I didn't mean to call you out specifically, but you happened to be first alphabetically, sorry. I find this link very helpful to list all CAs with errors or warnings: https://crt.sh/?cablint=1+week Second, How do you define a "test CA"? I thought that any CA that chains to a public root was by definition not a test CA, I agree with that. and since the issued cert was in CT logs, I assumed that your root was publicly trusted. Maybe I'm mistaken on one of these points Actually, some non-publicly-trusted roots are accepted by some of the logs that crt.sh monitors. Doug -Original Message- From: dev-security-policy On Behalf Of Adriano Santoni via dev-security-policy Sent: Monday, October 1, 2018 9:49 AM To: dev-security-policy@lists.mozilla.org Subject: Re: Increasing number of Errors found in crt.sh Thank you Rob! If I am not mistaken, it seems to me that we have just 1 certificate in that list, and it's a non-trusted certificate (it was issued by a test CA). Il 01/10/2018 15:43, Rob Stradling via dev-security-policy ha scritto: On 01/10/2018 14:38, Adriano Santoni via dev-security-policy wrote: Is it possible to filter the list https://crt.sh/?cablint=issues based on the issuing CA ? Yes. First, visit this page: https://crt.sh/?cablint=1+week Next, click on the link in the "Issuer CN, OU or O" column that corresponds to the issuing CA you're interested in. Il 01/10/2018 15:26, Doug Beattie via dev-security-policy ha scritto: Hi Wayne and all, I've been noticing an increasing number of CA errors, https://crt.sh/?cablint=issues Is anyone monitoring this list and asking for misissuance reports for those that are not compliant? There are 15 different errors and around 300 individual errors (excluding the SHA-1 "false" errors). Some CAs are issuing certs to CNs of localhost, are including RFC822 SANs, not including OCSP links and many more. - Actalis, - Digicert, - Microsoft, - There are also some warning checks that should actually be errors like underscores in CNs or SANs. Doug -- Rob Stradling Senior Research & Development Scientist Email: r...@comodoca.com ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Increasing number of Errors found in crt.sh
Hi Adriano, First, I didn't mean to call you out specifically, but you happened to be first alphabetically, sorry. I find this link very helpful to list all CAs with errors or warnings: https://crt.sh/?cablint=1+week Second, How do you define a "test CA"? I thought that any CA that chains to a public root was by definition not a test CA, and since the issued cert was in CT logs, I assumed that your root was publicly trusted. Maybe I'm mistaken on one of these points Doug -Original Message- From: dev-security-policy On Behalf Of Adriano Santoni via dev-security-policy Sent: Monday, October 1, 2018 9:49 AM To: dev-security-policy@lists.mozilla.org Subject: Re: Increasing number of Errors found in crt.sh Thank you Rob! If I am not mistaken, it seems to me that we have just 1 certificate in that list, and it's a non-trusted certificate (it was issued by a test CA). Il 01/10/2018 15:43, Rob Stradling via dev-security-policy ha scritto: > On 01/10/2018 14:38, Adriano Santoni via dev-security-policy wrote: >> Is it possible to filter the list https://crt.sh/?cablint=issues >> based on the issuing CA ? > > Yes. > > First, visit this page: > https://crt.sh/?cablint=1+week > > Next, click on the link in the "Issuer CN, OU or O" column that > corresponds to the issuing CA you're interested in. > >> Il 01/10/2018 15:26, Doug Beattie via dev-security-policy ha scritto: >>> Hi Wayne and all, >>> >>> >>> I've been noticing an increasing number of CA errors, >>> https://crt.sh/?cablint=issues Is anyone monitoring this list and >>> asking >>> for misissuance reports for those that are not compliant? There are 15 >>> different errors and around 300 individual errors (excluding the SHA-1 >>> "false" errors). Some CAs are issuing certs to CNs of localhost, are >>> including RFC822 SANs, not including OCSP links and many more. >>> >>> - Actalis, >>> >>> - Digicert, >>> >>> - Microsoft, >>> >>> - >>> >>> >>> There are also some warning checks that should actually be errors like >>> underscores in CNs or SANs. >>> >>> >>> Doug > smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Increasing number of Errors found in crt.sh
On 01/10/2018 14:48, Adriano Santoni via dev-security-policy wrote: Thank you Rob! If I am not mistaken, it seems to me that we have just 1 certificate in that list, and it's a non-trusted certificate (it was issued by a test CA). For certs issued (and logged) within the last 1 week, yes, that's correct. The summary page only deals with the past 1 week. However, once you click on a link to (for example) https://crt.sh/?caid=31477=cablint ("Actalis Domain Validation Server CA G1"), there's an undocumented feature... Add "minNotBefore=-MM-DD" to the URL to view linting info on older certs issued by that CA. e.g., https://crt.sh/?caid=31477=cablint=2018-01-01 (This feature is undocumented because not all historical certs have been linted by crt.sh). Il 01/10/2018 15:43, Rob Stradling via dev-security-policy ha scritto: On 01/10/2018 14:38, Adriano Santoni via dev-security-policy wrote: Is it possible to filter the list https://crt.sh/?cablint=issues based on the issuing CA ? Yes. First, visit this page: https://crt.sh/?cablint=1+week Next, click on the link in the "Issuer CN, OU or O" column that corresponds to the issuing CA you're interested in. Il 01/10/2018 15:26, Doug Beattie via dev-security-policy ha scritto: Hi Wayne and all, I've been noticing an increasing number of CA errors, https://crt.sh/?cablint=issues Is anyone monitoring this list and asking for misissuance reports for those that are not compliant? There are 15 different errors and around 300 individual errors (excluding the SHA-1 "false" errors). Some CAs are issuing certs to CNs of localhost, are including RFC822 SANs, not including OCSP links and many more. - Actalis, - Digicert, - Microsoft, - There are also some warning checks that should actually be errors like underscores in CNs or SANs. Doug -- Rob Stradling Senior Research & Development Scientist Email: r...@comodoca.com ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Increasing number of Errors found in crt.sh
Thank you Rob! If I am not mistaken, it seems to me that we have just 1 certificate in that list, and it's a non-trusted certificate (it was issued by a test CA). Il 01/10/2018 15:43, Rob Stradling via dev-security-policy ha scritto: On 01/10/2018 14:38, Adriano Santoni via dev-security-policy wrote: Is it possible to filter the list https://crt.sh/?cablint=issues based on the issuing CA ? Yes. First, visit this page: https://crt.sh/?cablint=1+week Next, click on the link in the "Issuer CN, OU or O" column that corresponds to the issuing CA you're interested in. Il 01/10/2018 15:26, Doug Beattie via dev-security-policy ha scritto: Hi Wayne and all, I've been noticing an increasing number of CA errors, https://crt.sh/?cablint=issues Is anyone monitoring this list and asking for misissuance reports for those that are not compliant? There are 15 different errors and around 300 individual errors (excluding the SHA-1 "false" errors). Some CAs are issuing certs to CNs of localhost, are including RFC822 SANs, not including OCSP links and many more. - Actalis, - Digicert, - Microsoft, - There are also some warning checks that should actually be errors like underscores in CNs or SANs. Doug smime.p7s Description: Firma crittografica S/MIME ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Increasing number of Errors found in crt.sh
On 01/10/2018 14:38, Adriano Santoni via dev-security-policy wrote: Is it possible to filter the list https://crt.sh/?cablint=issues based on the issuing CA ? Yes. First, visit this page: https://crt.sh/?cablint=1+week Next, click on the link in the "Issuer CN, OU or O" column that corresponds to the issuing CA you're interested in. Il 01/10/2018 15:26, Doug Beattie via dev-security-policy ha scritto: Hi Wayne and all, I've been noticing an increasing number of CA errors, https://crt.sh/?cablint=issues Is anyone monitoring this list and asking for misissuance reports for those that are not compliant? There are 15 different errors and around 300 individual errors (excluding the SHA-1 "false" errors). Some CAs are issuing certs to CNs of localhost, are including RFC822 SANs, not including OCSP links and many more. - Actalis, - Digicert, - Microsoft, - There are also some warning checks that should actually be errors like underscores in CNs or SANs. Doug -- Rob Stradling Senior Research & Development Scientist Email: r...@comodoca.com ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Increasing number of Errors found in crt.sh
Is it possible to filter the list https://crt.sh/?cablint=issues based on the issuing CA ? Il 01/10/2018 15:26, Doug Beattie via dev-security-policy ha scritto: Hi Wayne and all, I've been noticing an increasing number of CA errors, https://crt.sh/?cablint=issues Is anyone monitoring this list and asking for misissuance reports for those that are not compliant? There are 15 different errors and around 300 individual errors (excluding the SHA-1 "false" errors). Some CAs are issuing certs to CNs of localhost, are including RFC822 SANs, not including OCSP links and many more. - Actalis, - Digicert, - Microsoft, - There are also some warning checks that should actually be errors like underscores in CNs or SANs. Doug ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy smime.p7s Description: Firma crittografica S/MIME ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy