Re: Recent Entrust Compliance Incidents

Can you please explicitly state answers to these following questions - I may have more in the future but these are the immediate ones that come to mind: *Question 1:* *Why did section 2.5.1 of your report ignore: https://bugzilla.mozilla.org/show_bug.cgi?id=1890898

Re: Approval of Taiwan CA's Root Inclusion Request

TWCA has a couple of incidents open for revocation delays. I think until this CA can show that it can follow its own CP/CPS and BRs, new trust anchors from that CA should not be accepted into the Mozilla Trust Store. Beyond that looking at the document linked here:

Re: Mozilla Root Policy: ECC Curves and Signature Length (Mass Certificate Problem Report)

What this policy means is that if the signer key is: - P-256: Then the child certificate needs to use SHA-256. - P-384: Then the child certificate needs to use SHA-384. It doesn't say anything about what the signature should be based on the child certificate's key - only the signer's key. For

Re: when do things really need to be revoked? who decides?

In my experience (and through what I've heard from others), at least in large enterprises, the work for automating cert issuance and replacement is simply *not important*. I've asked a few folks who would be in the place to do that automation work and in nearly all cases they tell me they know

Re: Vulnurability Disclosure - How does it happen?

Thanks. I guess this question then is aimed at Chunghwa Telecom to let us know if what's been reported has had any impact on their CA systems. On Thursday, May 23, 2024 at 1:07:39 PM UTC-4 Ben Wilson wrote: > Amir, > To answer the last question first, Chunghwa Telecom did not disclose this >

Vulnurability Disclosure - How does it happen?

Hey folks, I am bringing this up because of: https://www.darkreading.com/cyberattacks-data-breaches/taiwan-telco-breached-data-sold-on-dark-web (I've marked my questions in bold) I'm mainly basing this discussion around: https://wiki.mozilla.org/CA/Vulnerability_Disclosure. I want to

Re: Recent Entrust Compliance Incidents

I wanted to also add that I'd like Entrust to address why they don't stop certificate issuances when they find out they're misissuing certificates? As part of my series on Entrust . In Part 2

Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH

I just wanted to point out that e-commerce's communication is still very-very delayed: https://bugzilla.mozilla.org/show_bug.cgi?id=1893546#c1, https://bugzilla.mozilla.org/show_bug.cgi?id=1862004#c9 I think e-commerce is getting into the territory where we should really consider if they're a

Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH

Considering this is open: https://bugzilla.mozilla.org/show_bug.cgi?id=1893546 I do think that such a temporary grant does not make sense. e-commerce has so far not showed themselves to be a good steward of public trust. What are the implications of e-commerce being distrusted by Mozilla,

Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH

Did you ever hear from them? On Tuesday, March 5, 2024 at 11:18:13 AM UTC-5 Ben Wilson wrote: > All, > March 1 was the scheduled end of public discussion on this matter. > However, I have one unresolved question that I have presented to the CA > operator and its audit firm regarding ACAB'c

Question about a random certificate I've found on CT

I came across an interesting certificate today: https://crt.sh/?id=2385087905 According to Censys, this certificate is publicly trusted on of the major root programs. This certificate has a very long lifetime, and just seems to be *weird* in a lot of ways. Are these types of certificates okay

Re: Retirement Announcement & Thank You!

Kathleen, your work has truly made the web a better, and safer place and has had a profound impact on WebPKI for everyone. The state of WebPKI today cannot even be compared to how it was 16 years ago. Thank you for everything and especially your transformative impact on this space. I hope you

e-commerce monitoring GmbH and at what point does a CA get distrusted

Hi all, I am hoping to get some root program perspectives on this incident: https://bugzilla.mozilla.org/show_bug.cgi?id=1815534 and the follow up incident for delayed revocation: https://bugzilla.mozilla.org/show_bug.cgi?id=1862004. This CA has clearly ignored Bugzilla until this incident

Re: Let's Encrypt New Intermediate Certificates

> Pinning the intermediate, and removing unneeded limbs from the tree is consistent with the Saltzer and Schroeder's principle of least privilege, and it reduces the attack surface. Maybe? But keep in mind that roots are kept offline. As in, these keys are kept in a safe, in a locked room

Re: 与“RCE used by Intermediate CA to issue certificates.”相关的私人帖子

Emailing on my personal capacity: Xiaohui, can you please confirm that ssl.com was the only actual CA that was used for issuance through HiCA? On Saturday, June 10, 2023 at 2:08:47 PM UTC-4 Kurt Seifried wrote: > Forwarding this to the list, I'm not comfortable with off list discussions > in