Doug, Responding to your original question, I look at crt.sh and other data sources for certificate errors when reviewing inclusion requests or doing other sorts of investigations. I am not currently reviewing the crt.sh report for misissuance on a regular basis, but maybe I should.
I went through the current list and identified the following problems affecting certificates trusted by Mozilla: * KIR S.A.: Multiple issues - https://bugzilla.mozilla.org/show_bug.cgi?id=1495497 * Government of Spain FNMT: OU exceeds 64 characters - https://bugzilla.mozilla.org/show_bug.cgi?id=1495507 * Assecco DS (Certum): Unallowed key usage for EC public key - https://bugzilla.mozilla.org/show_bug.cgi?id=1495518 * Certinomis: issued & revoked a precertificate containing a SAN of 'www', didn't report it - https://bugzilla.mozilla.org/show_bug.cgi?id=1495524 - Wayne On Mon, Oct 1, 2018 at 8:51 AM Rob Stradling via dev-security-policy < [email protected]> wrote: > Hi IƱigo. > > I suspect it's because my script that produces the 1 week summary data > [1] isn't using a consistent view of the underlying linting results > throughout its processing. Hopefully this [2] will fix it. > > 100% errors from that Comodo issuing CA is because it's issuing SHA-1 > certs that chain to a no-longer-publicly-trusted root. > > > [1] > > https://github.com/crtsh/certwatch_db/blob/master/lint_update_1week_stats.sql > > [2] > > https://github.com/crtsh/certwatch_db/commit/8ce0c96c9c50bfb51db33c6f44c9c1d1a9f5a96c > > On 01/10/2018 15:35, Inigo Barreira wrote: > > And checking this site, how can Comodo have more certs with errors > (15030) than certs issued (15020). > > > > Regards > > ________________________________________ > > From: dev-security-policy <[email protected]> > on behalf of Adriano Santoni via dev-security-policy < > [email protected]> > > Sent: Monday, October 01, 2018 10:09 PM > > To: Rob Stradling; Doug Beattie > > Cc: mozilla-dev-security-policy > > Subject: Re: Increasing number of Errors found in crt.sh > > > > I also agree. > > > > As I said before, that's a non-trusted certificate. It was issued by a > > test CA that does /not/ chain to a public root. > > > > > > Il 01/10/2018 16:04, Rob Stradling ha scritto: > >> On 01/10/2018 15:02, Doug Beattie via dev-security-policy wrote: > >>> Hi Adriano, > >>> > >>> First, I didn't mean to call you out specifically, but you happened > >>> to be > >>> first alphabetically, sorry. I find this link very helpful to list > >>> all CAs > >>> with errors or warnings: https://crt.sh/?cablint=1+week > >>> > >>> Second, How do you define a "test CA"? I thought that any CA that > >>> chains to > >>> a public root was by definition not a test CA, > >> > >> I agree with that. > >> > >>> and since the issued cert was > >>> in CT logs, I assumed that your root was publicly trusted. Maybe I'm > >>> mistaken on one of these points > >> > >> Actually, some non-publicly-trusted roots are accepted by some of the > >> logs that crt.sh monitors. > >> > >>> Doug > >>> > >>> -----Original Message----- > >>> From: dev-security-policy > >>> <[email protected]> On > >>> Behalf Of Adriano Santoni via dev-security-policy > >>> Sent: Monday, October 1, 2018 9:49 AM > >>> To: [email protected] > >>> Subject: Re: Increasing number of Errors found in crt.sh > >>> > >>> Thank you Rob! > >>> > >>> If I am not mistaken, it seems to me that we have just 1 certificate > >>> in that > >>> list, and it's a non-trusted certificate (it was issued by a test CA). > >>> > >>> > >>> Il 01/10/2018 15:43, Rob Stradling via dev-security-policy ha scritto: > >>>> On 01/10/2018 14:38, Adriano Santoni via dev-security-policy wrote: > >>>>> Is it possible to filter the list https://crt.sh/?cablint=issues > >>>>> based on the issuing CA ? > >>>> > >>>> Yes. > >>>> > >>>> First, visit this page: > >>>> https://crt.sh/?cablint=1+week > >>>> > >>>> Next, click on the link in the "Issuer CN, OU or O" column that > >>>> corresponds to the issuing CA you're interested in. > >>>> > >>>>> Il 01/10/2018 15:26, Doug Beattie via dev-security-policy ha scritto: > >>>>>> Hi Wayne and all, > >>>>>> > >>>>>> > >>>>>> I've been noticing an increasing number of CA errors, > >>>>>> https://crt.sh/?cablint=issues Is anyone monitoring this list and > >>>>>> asking > >>>>>> for misissuance reports for those that are not compliant? There > >>>>>> are 15 > >>>>>> different errors and around 300 individual errors (excluding the > >>>>>> SHA-1 > >>>>>> "false" errors). Some CAs are issuing certs to CNs of localhost, > are > >>>>>> including RFC822 SANs, not including OCSP links and many more. > >>>>>> > >>>>>> - Actalis, > >>>>>> > >>>>>> - Digicert, > >>>>>> > >>>>>> - Microsoft, > >>>>>> > >>>>>> - > >>>>>> > >>>>>> > >>>>>> There are also some warning checks that should actually be errors > >>>>>> like > >>>>>> underscores in CNs or SANs. > >>>>>> > >>>>>> > >>>>>> Doug > >> > > -- > Rob Stradling > Senior Research & Development Scientist > Email: [email protected] > Bradford, UK > Office: +441274730505 > ComodoCA.com > > This message and any files associated with it may contain legally > privileged, confidential, or proprietary information. If you are not the > intended recipient, you are not permitted to use, copy, or forward it, > in whole or in part without the express consent of the sender. Please > notify the sender by reply email, disregard the foregoing messages, and > delete it immediately. > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
