On Wed, Nov 20, 2019 at 10:54 PM Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote:
> Ryan Sleevi <r...@sleevi.com> writes: > > >Do you believe it’s still applicable in the Web PKI of the past decade? > > Yes, the specific cert I referenced is current valid and passed WebTrust > and > EV audits. > "Passed" is... a bit misleading as to the (limited) assurance WebTrust (and audits in general) provide, or more aptly, misleading as to how they work :) But I agree, this is concerning. > >If you could link to the crt.sh entry, that might be easier. > > Here's the Microsoft one I mentioned: > > Microsoft RSA Root Certificate Authority 2017 > > https://crt.sh/?id=988218851&opt=x509lint,zlint,cablint Excellent! Thanks > There are numerous others. This particular one isn't just a CA cert, it's > a > root cert. > > >It could be that you’re referencing the use of BMPString > > I'm just quoting X509lint: > > ERROR: URL contains a null character > > Given that this was exposed as a major security hole ten years ago, I was > surprised when someone notified me that these things exist, and that no-one > seems to have done anything about it. > I don't think the hyperbole helps here. You can see from the long list of incidents at https://wiki.mozilla.org/CA/Incident_Dashboard that we take incidents seriously as they're brought to attention, and have spent considerable effort in making sure that anyone finding anything odd has a clear path to reporting and a clear path to trying to resolve these issues systematically. You can also see linters appropriately warning about this - and the expectation for CAs to be monitoring such certificates for errors. As to the incident, I'm showing this root only trusted by Microsoft at present - https://crt.sh/?caid=108560 <https://crt.sh/?caid=108560&opt=x509lint,zlint,cablint> . https://bugzilla.mozilla.org/show_bug.cgi?id=1582254 has not yet included them in the Mozilla store, so you should feel free to add comments there. I don't think there's anything to conclude "nothing is being done about it", but you can also see, from the original message and the discussion on the bug, that no, we did not talk about this topic. It's probably better to start a new thread if you'd like to talk about it further. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
