Ouch. Thanks for clarifying. Alex
On Thu, Aug 3, 2017 at 10:46 AM, Ben Wilson <ben.wil...@digicert.com> wrote: > There are over 300 publicly visible servers, according to Censys.IO. > > > > *From:* Alex Gaynor [mailto:agay...@mozilla.com] > *Sent:* Thursday, August 3, 2017 8:42 AM > *To:* Ben Wilson <ben.wil...@digicert.com> > *Cc:* Nick Lamb <tialara...@gmail.com>; mozilla-dev-security-policy@ > lists.mozilla.org > > *Subject:* Re: Certificate with invalid dnsName issued from Baltimore > intermediate > > > > If I'm reading this correctly, these certificates are for internal > services, not publicly accessible. Could they add their intermediate > directly to these trust stores, allowing you to revoke it? > > > > Failing that, it sounds like OneCRL would be an appropriate remedy. > > > > Alex > > > > On Thu, Aug 3, 2017 at 10:38 AM, Ben Wilson via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > Nick and Mozilla Community, > > Here is the response from Intesa Sanpaolo concerning the disruption that > revocation will cause to their banking operations: > > Good Evening Ben, > > About the problem with the certificate you recently notified us, I > confirm you that we have replaced the certificates today, so we have now > revoked the wrong one. > > Concerning the CA revocation, first of all, I want to underline that for us > it would be a major issue: we don't have enough time and resources to > replace all the certificates before the end of the year and the revocation > of the CA will cause us several critical operating problems with our > infrastructural services. > > Moreover, I would like to inform you that in order to rationalize our > infrastructure and create new synergy between our suppliers, we've planned > to move our certificates to an Italian CA outsourcer. We have already > started this activity and our intent is to complete the migration before > the > end of the year, to respect the contract we have settled, with deadline > December, 31st 2017. > > Therefore I have to kindly recommend you not to revoke the CA, before the > end of the contract, because it will cause several problems to the Bank and > to our users (customers and colleagues). > > We are available to set up a call conference with you to discuss the > matter. > Looking forward to hear from you. > > Best regards, > Riccardo D'Agostini > > > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+ben=digicert....@lists.mozilla.org] On > > Behalf Of Ben Wilson via dev-security-policy > Sent: Thursday, August 3, 2017 7:33 AM > To: Nick Lamb <tialara...@gmail.com>; > mozilla-dev-security-pol...@lists.mozilla.org > Subject: RE: Certificate with invalid dnsName issued from Baltimore > intermediate > > That would be fine. Also, we have given Intesa Sanpaolo a scheduled > revocation date of 15 August 2017, and I'm waiting to hear back. > > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+ben=digicert....@lists.mozilla.org] On > Behalf Of Nick Lamb via dev-security-policy > Sent: Wednesday, August 2, 2017 10:34 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Certificate with invalid dnsName issued from Baltimore > intermediate > > On Monday, 24 July 2017 17:34:03 UTC+1, Ben Wilson wrote: > > Nick, > > We are in discussions with Intesa Sanpaolo about implementing/pursuing > > OneCRL or a similar approach (e.g. outright revocation of the CAs). > > Thanks, > > Ben > > Is there any progress on this? To be honest I was more meaning that Mozilla > (Gerv?) should just add this subCA to OneCRL and be done with it. > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy