They are no longer issuing from the digicert cross. The issue is within their PKI but there should be no additional certificates chained to DigiCert roots
On Aug 11, 2017, at 8:33 AM, Ben Wilson <ben.wil...@digicert.com<mailto:ben.wil...@digicert.com>> wrote: Apparently they haven’t yet, but we’ll assume that they will. Does the community expect a remediation plan for their code and then a revocation-and-replacement plan? Ben Wilson, JD, CISA, CISSP VP Compliance +1 801 701 9678 <image001.jpg> From: Alex Gaynor [mailto:agay...@mozilla.com] Sent: Friday, August 11, 2017 8:31 AM To: Ben Wilson <ben.wil...@digicert.com<mailto:ben.wil...@digicert.com>> Cc: Jeremy Rowley <jeremy.row...@digicert.com<mailto:jeremy.row...@digicert.com>>; Jonathan Rudenberg <jonat...@titanous.com<mailto:jonat...@titanous.com>>; mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Certificates with less than 64 bits of entropy Have they fixed whatever issue there is with their PKI infrastructure that leads to this issue? From skimming, I see this pool contains certs issued as recently as one month ago. Alex On Fri, Aug 11, 2017 at 10:26 AM, Ben Wilson via dev-security-policy <dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>> wrote: With regard to Siemens, given the large number of certificates and the disruption that massive revocations will have on their infrastructure, what does this community expect them to do? -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+ben<mailto:dev-security-policy-bounces%2Bben>=digicert....@lists.mozilla.org<mailto:digicert....@lists.mozilla.org>] On Behalf Of Jeremy Rowley via dev-security-policy Sent: Thursday, August 10, 2017 12:01 PM To: Jonathan Rudenberg <jonat...@titanous.com<mailto:jonat...@titanous.com>>; mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org> Subject: RE: Certificates with less than 64 bits of entropy Hi Jonathan, InfoCert's sub CA was revoked on August 1, 2017. We'll reach out to Siemens. They moved to Quovadis a while ago and are no longer issuing from that Sub CA. Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley<mailto:dev-security-policy-bounces%2Bjeremy.rowley>=digicert....@lists.mozilla.org<mailto:digicert....@lists.mozilla.org>] On Behalf Of Jonathan Rudenberg via dev-security-policy Sent: Thursday, August 10, 2017 9:26 AM To: mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Certificates with less than 64 bits of entropy > On Aug 10, 2017, at 11:20, Jonathan Rudenberg via dev-security-policy > <dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>> > wrote: > > QuoVadis (560) > Siemens Issuing CA Internet Server 2016 (560) > > D-TRUST (224) > D-TRUST SSL Class 3 CA 1 2009 (178) > D-TRUST SSL Class 3 CA 1 EV 2009 (45) > D-TRUST Root Class 3 CA 2 EV 2009 (1) > > DigiCert (85) > Siemens Issuing CA Class Internet Server 2013 (82) > InfoCert Web Certification Authority (3) > > Izenpe S.A. (62) > EAEko Herri Administrazioen CA - CA AAPP Vascas (2) (62) > > Government of The Netherlands, PKIoverheid (Logius) (55) > Digidentity Services CA - G2 (55) > > Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) (38) > Cihaz Sertifikası Hizmet Sağlayıcı - Sürüm 4 (38) It looks like my summary missed one QuoVadis intermediate: Bayerische SSL-CA-2016-01 (3) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
