Re: Unknown Intermediates

2017-06-29 Thread Ryan Sleevi via dev-security-policy
On Thu, Jun 29, 2017 at 3:56 PM, Bruce via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > I'm trying to understand this posting. I think the CAs have an obligation > to disclose all Intermediate certificates to the CCADB. I don't think that > the CAs have an obligation to

Re: Unknown Intermediates

2017-06-29 Thread Bruce via dev-security-policy
On Friday, June 16, 2017 at 1:05:37 AM UTC-4, Tavis Ormandy wrote: > Hello, I was crawling the pkcs7 blobs in public pdf files and found some > intermediate certificates that don't appear in crt.sh. > > I forwarded them to Rob, I don't know if this is useful to anyone else, but > they're

Re: Unknown Intermediates

2017-06-23 Thread Rob Stradling via dev-security-policy
On 23/06/17 14:49, Peter Bowen via dev-security-policy wrote: On Fri, Jun 23, 2017 at 6:17 AM, Rob Stradling via dev-security-policy wrote: On 23/06/17 14:10, Kurt Roeckx via dev-security-policy wrote: On 2017-06-23 14:59, Rob Stradling wrote:

Re: Unknown Intermediates

2017-06-23 Thread Jakob Bohm via dev-security-policy
On 23/06/2017 14:59, Rob Stradling wrote: On 22/06/17 10:51, Rob Stradling via dev-security-policy wrote: On 19/06/17 20:41, Tavis Ormandy via dev-security-policy wrote: Is this useful? if not, what key usage is interesting? https://lock.cmpxchg8b.com/ServerOrAny.zip Thanks for this,

Re: Unknown Intermediates

2017-06-23 Thread Peter Bowen via dev-security-policy
On Fri, Jun 23, 2017 at 6:17 AM, Rob Stradling via dev-security-policy wrote: > On 23/06/17 14:10, Kurt Roeckx via dev-security-policy wrote: >> >> On 2017-06-23 14:59, Rob Stradling wrote: >>> >>> Reasons: >>>- Some are only trusted by the old Adobe CDS

Re: Unknown Intermediates

2017-06-23 Thread Rob Stradling via dev-security-policy
On 23/06/17 14:10, Kurt Roeckx via dev-security-policy wrote: On 2017-06-23 14:59, Rob Stradling wrote: Reasons: - Some are only trusted by the old Adobe CDS program. - Some are only trusted for Microsoft Kernel Mode Code Signing. - Some are very old roots that are no longer trusted.

Re: Unknown Intermediates

2017-06-23 Thread Kurt Roeckx via dev-security-policy
On 2017-06-23 14:59, Rob Stradling wrote: Reasons: - Some are only trusted by the old Adobe CDS program. - Some are only trusted for Microsoft Kernel Mode Code Signing. - Some are very old roots that are no longer trusted. I wonder if Google's daedalus would like to see some of those.

Re: Unknown Intermediates

2017-06-23 Thread Rob Stradling via dev-security-policy
On 22/06/17 10:51, Rob Stradling via dev-security-policy wrote: On 19/06/17 20:41, Tavis Ormandy via dev-security-policy wrote: Is this useful? if not, what key usage is interesting? https://lock.cmpxchg8b.com/ServerOrAny.zip Thanks for this, Tavis. I pointed my certscraper

Re: Unknown Intermediates

2017-06-22 Thread Alex Gaynor via dev-security-policy
I definitely consider increased visibility into the vast iceberg that is the public PKI to be a good thing! What set of intermediates are you using? If it's reasonably complete, I doubt we'll do any better than you, though maybe someone here has a particularly clever technique for processing

Re: Unknown Intermediates

2017-06-22 Thread Tavis Ormandy via dev-security-policy
I think you're right, it was probably me submitting my corpus - I hope that's a good thing! :-) I only submitted the ones I could verify, would you be interested in the others? Many are clearly not interesting, but others seem like they may be interesting if I had an intermediate I haven't seen.

Re: Unknown Intermediates

2017-06-22 Thread Alex Gaynor via dev-security-policy
One of my hobbies is keeping track of publicly trusted (by any of the major root programs) CAs, for which there are no logged certificates. There's over 1000 of these. In the last day, presumably as a result of these efforts, 50-100 CAs were removed from the list. Cheers, Alex On Thu, Jun 22,

Re: Unknown Intermediates

2017-06-22 Thread Rob Stradling via dev-security-policy
On 19/06/17 20:41, Tavis Ormandy via dev-security-policy wrote: Thanks Alex, I took a look, it looks like the check pings crt.sh - is doing that for a large number of certificates acceptable Rob? Hi Tavis. Yes, Alex's tool uses https://crt.sh/gen-add-chain to find a suitable cert chain and

Re: Unknown Intermediates

2017-06-21 Thread Tavis Ormandy via dev-security-policy
FYI, I'm submitting these right now, it seems to be working, here's an example https://crt.sh/?q=1eb6ec6e6c45663f3bb1b2f140961bbf3352fc8741ef835146d3a8a2616ee28f Tavis. On Mon, Jun 19, 2017 at 12:56 PM, Tavis Ormandy wrote: > I noticed there's an apparently valid

Re: Unknown Intermediates

2017-06-19 Thread Daniel Cater via dev-security-policy
On Monday, 19 June 2017 20:57:28 UTC+1, Tavis Ormandy wrote: > I noticed there's an apparently valid facebook.com certificate in there > (61b1526f9d75775c3d533382f36527c9.pem). This is surprising to me, that > seems like it would be in CT already - so maybe I don't know what I'm doing. > > Let

Re: Unknown Intermediates

2017-06-19 Thread Tavis Ormandy via dev-security-policy
I noticed there's an apparently valid facebook.com certificate in there (61b1526f9d75775c3d533382f36527c9.pem). This is surprising to me, that seems like it would be in CT already - so maybe I don't know what I'm doing. Let me know if I've misunderstood something. Tavis. On Mon, Jun 19, 2017 at

Re: Unknown Intermediates

2017-06-19 Thread Tavis Ormandy via dev-security-policy
Thanks Alex, I took a look, it looks like the check pings crt.sh - is doing that for a large number of certificates acceptable Rob? I made a smaller set, the certificates that have 'SSL server: Yes' or 'Any Purpose : Yes', there were only a few thousand that verified, so I just checked those and

Re: Unknown Intermediates

2017-06-19 Thread Alex Gaynor via dev-security-policy
If you're interested in playing around with submitting them yourself, or checking if they're already submitted, I've got some random tools for working with CT: https://github.com/alex/ct-tools Specifically ct-tools check will get what you want. It's all serial, so for

Re: Unknown Intermediates

2017-06-16 Thread Andrew Ayer via dev-security-policy
On Fri, 16 Jun 2017 10:29:45 -0700 Tavis Ormandy via dev-security-policy wrote: > On Fri, Jun 16, 2017 at 2:00 AM, Rob Stradling > wrote: > > > On 16/06/17 06:05, Tavis Ormandy via dev-security-policy wrote: > > > >> Hello, I was

Re: Unknown Intermediates

2017-06-16 Thread Tavis Ormandy via dev-security-policy
On Fri, Jun 16, 2017 at 2:00 AM, Rob Stradling wrote: > On 16/06/17 06:05, Tavis Ormandy via dev-security-policy wrote: > >> Hello, I was crawling the pkcs7 blobs in public pdf files and found some >> intermediate certificates that don't appear in crt.sh. >> >> I

Re: Unknown Intermediates

2017-06-16 Thread Jonathan Rudenberg via dev-security-policy
> On Jun 16, 2017, at 05:00, Rob Stradling via dev-security-policy > wrote: > > On 16/06/17 06:05, Tavis Ormandy via dev-security-policy wrote: >> Hello, I was crawling the pkcs7 blobs in public pdf files and found some >> intermediate certificates that

Re: Unknown Intermediates

2017-06-16 Thread Rob Stradling via dev-security-policy
On 16/06/17 06:05, Tavis Ormandy via dev-security-policy wrote: Hello, I was crawling the pkcs7 blobs in public pdf files and found some intermediate certificates that don't appear in crt.sh. I forwarded them to Rob, I don't know if this is useful to anyone else, but they're available here.