Hi Nick We attached an updated version of the affected certificate overview to the bug on February 10, which does contain the date of order and date of issuance.
Thanks Arvid > -----Original Message----- > From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On > Behalf Of Nick Lamb via dev-security-policy > Sent: donderdag 11 februari 2021 19:12 > To: dev-security-policy@lists.mozilla.org > Cc: Ben Wilson <bwil...@mozilla.com> > Subject: Re: Public Discussion of GlobalSign's CA Inclusion Request for R46, > E46, R45 and E45 Roots > > On Tue, 9 Feb 2021 14:29:15 -0700 > Ben Wilson via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > > All, > > GlobalSign has provided a very detailed incident report in Bugzilla - > > see https://bugzilla.mozilla.org/show_bug.cgi?id=1690807#c2. > > There are a few remaining questions that still need to be answered, so > > this email is just to keep you aware. > > Hopefully later this week I'll be able to come back and see if people > > are satisfied and whether we can proceed with the root inclusion > > request. > > I have a question (if I should write it in Bugzilla instead please say so it is unclear > to me what the correct protocol is) > > GlobalSign have provided a list of 112 other certificates which were issued for the > same reason, I examined some of them manually and determined that they are in > appearance unextraordinary (2048-bit RSA keys for example) and so it's > unsurprising we didn't notice they were issued previously. > > However, the list does not tell me when these certificates were ordered or, if > substantially different, when the email used to "validate" these orders was sent. > > As a result it's hard to be sure whether these certificates were issued perhaps > only a few weeks after they were ordered, which is a relatively minor oversight, > or, like the incident certificate, many years afterwards. I'd like maybe a column of > "order date" and "email sent date" if the two can be different. > > - > > I also have noticed something that definitely isn't (just) for GlobalSign. It seems to > me that the current Ten Blessed Methods do not tell issuers to prevent robots > from "clicking" email links. We don't need a CAPTCHA, just a "Yes I want this > certificate" POST form ought to be enough to defuse typical "anti-virus", "anti- > malware" or automated crawling/ cache building robots. Maybe I just missed > where the BRs tell you to prevent that, and hopefully even without prompting all > issuers using the email-based Blessed Methods have prevented this, > > > Nick. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy