On Wednesday, 1 June 2016 04:35:44 UTC+1, Peter Gutmann wrote: > Was it made public? All I've been able to find are two Bugzilla entries for > the revocation:
I deliberately wrote that it was "first public" without attributing that to any entity. The Disney intermediate was added to the CT logs in August 2015. Most likely because a Google crawler ran into a public certificate it had issued while pootling around the undergrowth of the web. But it's not inconceivable that Entrust (the root CA) or Disney decided to publish it, I don't think the logs permanently record who added a record, nor should they. The CT logs are public both by intention and in fact, and although I'm grateful for the existence of crt.sh, doubtless other monitors would exist if it didn't. While the primary stated purpose for the monitors is to let name owners watch out for certificates that shouldn't have been issued (and Facebook already reports this worked out as intended for them) there's no doubt that having ordinary citizens, and among them a Free Press poking around in the monitors is desirable too. Transparency is worth nothing if nobody is looking. > Peter (resisting the temptation to make a comment about Mickey-Mouse > security). As is usual for these subCAs, the "Mickey Mouse" element tends not to be about the security per se, but poor quality of issuance which imposes risks to the ecosystem. Even before it was revoked, Disney's CA managed to issue for: wm-flor-ap689wdwdisneycom After a couple more attempts, the operators managed to spit themselves out a certificate for the name they'd actually wanted, wm-flor-ap689wdw.disney.com at last. But what sort of clumsy "oversight" permitted this to happen in the first place? I'm guessing Entrust would tell us they revoked wm-flor-ap689wdwdisneycom, or that anyway it was issued prior to the BRs strictly forbidding such nonsense so it wasn't "technically" a miss. But it's still hard to stomach, isn't it? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
