[cabfpub] Misissuance of certificates
Rob Stradling
rob.stradling at comodo.com
Mon Jan 18 23:22:40 UTC 2016
Thanks Peter. Nice tool!
I've added certlint support to https://crt.sh. Just click the "Run
cablint" link when viewing a cert. :-)
On 18/01/16 15:15, Peter Bowen wrote:
> Amazon has released a tool that can help verify if certificates are
> following X.509, PKIX, and CA/B Forum specifications and guidelines.
> certlint is available from https://github.com/awslabs/certlint
>
> If you try it out and find any issues, please either open an issue in
> GitHub or email me directly. I hope that courtliness is useful.
>
> Thanks,
> Peter
>
>> On Jan 13, 2016, at 7:32 PM, Jeremy Rowley <jeremy.rowley at digicert.com
>> <mailto:jeremy.rowley at digicert.com>> wrote:
>>
>> Not all malformations are violations of the BRs but most of them are
>> since 7.1.2.4 requires ”All other fields and extensions MUST be set in
>> accordance with RFC 5280.”
>> *From:*public-bounces at cabforum.org
>> <mailto:public-bounces at cabforum.org>[mailto:public-bounces at cabforum.org]*On
>> Behalf Of*Eric Mill
>> *Sent:*Wednesday, January 13, 2016 8:24 PM
>> *To:*Eneli Kirme
>> *Cc:*public at cabforum.org <mailto:public at cabforum.org>
>> *Subject:*Re: [cabfpub] Misissuance of certificates
>> On Wed, Jan 13, 2016 at 6:14 AM, Eneli Kirme <Eneli.Kirme at sk.ee
>> <mailto:Eneli.Kirme at sk.ee>> wrote:
>>
>>
>> There’s also been discussion that malformed certificates are in
>> scope. The problem with these is that not all technical errors
>> have an impact on security and some of them can go unnoticed for
>> quite some time and involve large amounts of certificates.
>>
>> Not all malformations of x.509 certificates are violations of the BRs.
>> If a CA is systematically issuing large tranches of certificates in
>> violation of the BRs, that points to a significant potential security
>> gap in the CA's code and/or audits, regardless of whether the
>> particular discovered technical error poses an immediate security
>> threat to users at that moment.
>>
>> Putting all of them onto the Internet without unified means for
>> automated querying would lower the value of such reporting.
>>
>> I don't think that's true. Bulk data for expert users to sort out, and
>> to potentially design their own search interface for themselves or the
>> public to use, is of high value.
>> -- Eric
>>
>> > On 05 Jan 2016, at 17:19, Sigbjørn Vik <sigbjorn at opera.com
>> <mailto:sigbjorn at opera.com>> wrote:
>> >
>> > How about the following:
>> >
>> >public at cabforum.org <mailto:public at cabforum.org>SHALL be informed
>> about the report. If the CA cannot
>> > post directly, it SHALL informquestions at cabforum.org
>> <mailto:questions at cabforum.org>, and the CA/B
>> > Forum chair SHALL forward to the list.
>> >
>> > On 05-Jan-16 16:10, Dean Coclin wrote:
>> >> Commenting on this part:
>> >>
>> >> "public at cabforum.org <mailto:public at cabforum.org> SHALL be
>> informed about the report, if the CA cannot
>> >> post directly, it SHALL inform the CA/B Forum chair who SHALL
>> inform the
>> >> list."
>> >>
>> >> If a CA is not a member of the forum, they won't have public
>> list posting
>> >> privileges and may not know the email address of the Chair/Vice
>> Chair (they
>> >> are not posted on our website). Hence I would suggest they
>> email the
>> >> "questions" list
>> >>
>> >> Dean
>> >>
>> >> -----Original Message-----
>> >> From:public-bounces at cabforum.org
>> <mailto:public-bounces at cabforum.org>[mailto:public-bounces at cabforum.org
>> <mailto:public-bounces at cabforum.org>] On
>> >> Behalf Of Sigbjørn Vik
>> >> Sent: Friday, December 18, 2015 9:08 AM
>> >> To:public at cabforum.org <mailto:public at cabforum.org>
>> >> Subject: Re: [cabfpub] Misissuance of certificates
>> >>
>> >> Hi,
>> >>
>> >> The discussion on this topic seems to have died down, I hope
>> that means we
>> >> can proceed to a ballot. Anyone willing to endorse?
>> >>
>> >> The suggested exception for constrained intermediates did not
>> seem to solve
>> >> the problem it was intended to solve, and nobody spoke up for
>> it, so I have
>> >> removed it. The text would then be:
>> >>
>> >>
>> >> 2.2.1 Information of incorrect issuance
>> >>
>> >> In the event that a CA issues a certificate in violation of these
>> >> requirements, the CA SHALL publicly disclose a report within
>> one week of
>> >> becoming aware of the violation.
>> >>
>> >>public at cabforum.org <mailto:public at cabforum.org>SHALL be
>> informed about the report, if the CA cannot
>> >> post directly, it SHALL inform the CA/B Forum chair who SHALL
>> inform the
>> >> list.
>> >>
>> >> The report SHALL publicize details about what the error was,
>> what caused the
>> >> error, time of issuance and discovery, and public certificates
>> for all
>> >> issuer certificates in the trust chain.
>> >>
>> >> The report SHALL publicize the full public certificate, with
>> the following
>> >> exception: For certificates issued prior to 01-Mar-16 the
>> report MAY leave
>> >> out Subject Distinguished Name fields and subjectAltName
>> extension values.
>> >>
>> >> The report SHALL be made available to the CAs Qualified Auditor
>> for the next
>> >> Audit Report.
>> >>
>> >> --
>> >> Sigbjørn Vik
>> >> Opera Software
>> >> _______________________________________________
>> >> Public mailing list
>> >>Public at cabforum.org <mailto:Public at cabforum.org>
>> >>https://cabforum.org/mailman/listinfo/public
>> >>
>> >
>> >
>> > --
>> > Sigbjørn Vik
>> > Opera Software
>> > _______________________________________________
>> > Public mailing list
>> >Public at cabforum.org <mailto:Public at cabforum.org>
>> >https://cabforum.org/mailman/listinfo/public
>>
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org <mailto:Public at cabforum.org>
>> https://cabforum.org/mailman/listinfo/public
>>
>>
>>
>> --
>> konklone.com <https://konklone.com/>|@konklone
>> <https://twitter.com/konklone>
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org <mailto:Public at cabforum.org>
>> https://cabforum.org/mailman/listinfo/public
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
More information about the Public
mailing list