On 10/13/09 10:12 AM, Eddy Nigg wrote:
#B is important because we are already month after the alleged bug happened, plenty of time to get the act together. I think this warrants some actions, a review and renewed confirmation of compliance might be a good thing to do in this case.
These certs were revoked within days of the BlackHat talk. The leaked cert is an old cert, we are not talking about a CA clueless for the past ten weeks. IPSCA mailed us on Aug 3 that they had identified and revoked nine bogus certs and had stopped issuing any certs until they fixed their process to detect these attempts. From the domains involved we pretty much know who bought the certs, Moxie of course, and two other speakers we know about on the hacker-conference speaking circuit.
What we didn't know is that any of those three were irresponsibly handing out the private keys to the certs.
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
