>
> I believe the list was merely a crt.sh query of all unexpired certificates
> with a dNSName ending in "in-addr.arpa":
> https://crt.sh/?dNSName=%25.in-addr.arpa=expired
Any list for this general issue should also consider unexpired certificates
with a dNSName ending in "ip6.arpa" to cover
> Note that this is applicable for signatureAlgorithms as well (and the same
> section of the RFC), and this is again something cablint picks up and zlint
> misses. However, it seems CAs happened to already have revoked these
> certificates - perhaps from internal linting efforts that looked at
>
>
> Of the 8 unrevoked, they're all issued by a single CA - GlobalSign - and
> are all RSA keys that lack the explicit NULL parameter, and thus violate
> the requirements of https://tools.ietf.org/html/rfc3279#section-2.3.1
> These are flagged by cablint (but not zlint), so that is an
3 matches
Mail list logo