date:20171109

Re: Francisco Partners acquires Comodo certificate authority business

2017-11-09 Thread Peter Bachman via dev-security-policy

On Tuesday, October 31, 2017 at 9:22:09 AM UTC-4, Kyle Hamilton wrote:
> http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business

I did a little spot check. So yes they hired a person who was involved with 
Entrust, so that is a plus. The website says it is an IP carve out. OK. Does 
this translate into knowledge so a consumer can make a rational trust decision?

I looked at their most recent CPS while shopping for a client email certificate.

3.2.7.1.
Personal Secure Email Certificate
The only identifying information in the subject DN is the email address of t
he Subscriber. Comodo validates the right for the Applicant to use the 
submitted email address. This is achieved through 
the delivery via a challenge and response made to the email address submitted 
during the  Certificate application.
Comodo validates that the Applicant holds the private key corresponding with a 
public key to be included in the Certificate by utilizing an online enrollment 
process whereby Comodo facilitates the Subscriber generating its key
pair using a specially crafted web page.  The key pair is 
generated in the Subscriber’s computer.  The private key is not exported or 
transferred from the Subscriber’s computer as part of the application process.

This was previously "Free" and now is billed at $12, but no matter. I clicked 
on the chat window and spoke to a technical support rep. I asked what NIST 
Level of Assurance was the S/MIME certificate, after about 10 minutes I got the 
answer, which was LOA 3. 

So as a consumer I was just told I could get a NIST LOA 3 S/MIME client and 
signing certificate for $12, that according to the website also would be 
trusted by Mozilla, etc. Of course I know that's not possible, and we can't 
always expect random support people to give the right answer. So what is the 
value add here from Francisco Partners, other than the previously "Free" 
certificate is now $12 and claimed to be at LOA 3?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Acquisition policy (was: Francisco Partners acquires Comodo certificate authority business)

2017-11-09 Thread Peter Kurrasch via dev-security-policy

  There's always a risk that a CA owner will create a security nightmare when we aren't looking, probationary period or not. In theory regular audits help to prevent it, but even in cases where they don't, people are free to raise concerns as they come up. I think we've had examples of exactly that in both StartCom and Symantec.‎ Perhaps one way to think of it is: Do we have reason to believe that the acquiring organization, leadership, etc. will probably make good decisions in the furtherance of public trust on the Internet? For a company that is a complete unknown, I would say that no evidence exists and therefore a public review prior to the acquisition is appropriate. If we do have sufficient evidence, perhaps it's OK to let the acquisition go through and have a public discussion afterwards.The Francisco Partners situation is more complicated, however. Francisco Partners itself does not strike me as the sort of company that should own a CA but only because they are investors and not a public trust firm of some sort. That said, they are smart enough to bring in a leadership team that does have knowledge and experience in this space. Unfortunately, though, they are also bringing in a Deep Packet Inspection business which is antithetical to public trust. So what is one to conclude?The reporting that I've seen seem to indicate that Francisco Partners will not (will never?) combine ‎PKI and DPI into a single business operation. They have to know that doing so would be ruinous to their CA investment. If we assume they know that and if we are willing to take them at their word, I suppose it's reasonable to "allow" the transfer as it relates to Mozilla policy. If we should learn later on that that trust was misplaced, I'm sure we will discuss it and take appropriate action at that time.From: westmail24--- via dev-security-policySent: Wednesday, November 8, 2017 7:50 PMTo: mozilla-dev-security-pol...@lists.mozilla.orgReply To: westmai...@gmail.comSubject: Acquisition policy (was: Francisco Partners acquires Comodo certificate authority business)Hello Peter, But what prevents Francisco Partners making security nightmare after the probationary period? This is logical, I think.Regards,Andrew___dev-security-policy mailing listdev-security-policy@lists.mozilla.orghttps://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Discrepancy in Included CAs and Included CA Certificates List

2017-11-09 Thread Kathleen Wilson via dev-security-policy


On 11/9/17 5:58 AM, cbonn...@trustwave.com wrote:

Hello all,
I was cross-referencing data contained in the "Included CAs" spreadsheet 
(https://wiki.mozilla.org/CA/Included_CAs) and the "Included CA Certificates" spreadsheet 
(https://wiki.mozilla.org/CA/Included_Certificates) and discovered that CNNIC is listed in the "Included CAs" 
spreadsheet but has no roots listed in the "Included CA Certificates" spreadsheet. It appears that CNNIC is 
the only CA that does not appear in both spreadsheets. Is this discrepancy intentional?

Thanks,
Corey Bonnell




Thanks for checking, and for reporting this. It has been fixed.

Thanks!
Kathleen

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Discrepancy in Included CAs and Included CA Certificates List

2017-11-09 Thread cbonnell--- via dev-security-policy

Hello all,
I was cross-referencing data contained in the "Included CAs" spreadsheet 
(https://wiki.mozilla.org/CA/Included_CAs) and the "Included CA Certificates" 
spreadsheet (https://wiki.mozilla.org/CA/Included_Certificates) and discovered 
that CNNIC is listed in the "Included CAs" spreadsheet but has no roots listed 
in the "Included CA Certificates" spreadsheet. It appears that CNNIC is the 
only CA that does not appear in both spreadsheets. Is this discrepancy 
intentional?

Thanks,
Corey Bonnell
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Incident report - ROCA fingerprints in certificates issued by Comodo CA (was Re: RSA key generation vulnerability in Infineon firmware)

2017-11-09 Thread Rob Stradling via dev-security-policy


On 09/11/17 13:09, Rob Stradling via dev-security-policy wrote:

On 06/11/17 22:26, Rob Stradling via dev-security-policy wrote:

On Monday 6th November, we scanned the certificates that we'd issued 
between 20th October and 5th November.  8 further server 
authentication certificates were found, all for subdomains of the same 
registered domain.  We will get these revoked and then post the details.


The 8 further certs have been revoked and submitted to some CT logs. 
They're all related to the same registered domain (kindermorgan.com). 
There's yet another SCADA reference ("OU=IT SCADA").


https://crt.id/?id=250561714
https://crt.id/?id=250561721
https://crt.id/?id=250561722
https://crt.id/?id=250561723
https://crt.id/?id=250561724
https://crt.id/?id=250561725
https://crt.id/?id=250561728
https://crt.id/?id=250561731


Sorry for the URL construction fail.  The correct URLs are:

https://crt.sh/?id=250561714
https://crt.sh/?id=250561721
https://crt.sh/?id=250561722
https://crt.sh/?id=250561723
https://crt.sh/?id=250561724
https://crt.sh/?id=250561725
https://crt.sh/?id=250561728
https://crt.sh/?id=250561731

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Incident report - ROCA fingerprints in certificates issued by Comodo CA (was Re: RSA key generation vulnerability in Infineon firmware)

2017-11-09 Thread Rob Stradling via dev-security-policy


On 06/11/17 22:26, Rob Stradling via dev-security-policy wrote:

On Monday 6th November, we scanned the certificates that we'd issued 
between 20th October and 5th November.  8 further server authentication 
certificates were found, all for subdomains of the same registered 
domain.  We will get these revoked and then post the details.


The 8 further certs have been revoked and submitted to some CT logs. 
They're all related to the same registered domain (kindermorgan.com). 
There's yet another SCADA reference ("OU=IT SCADA").


https://crt.id/?id=250561714
https://crt.id/?id=250561721
https://crt.id/?id=250561722
https://crt.id/?id=250561723
https://crt.id/?id=250561724
https://crt.id/?id=250561725
https://crt.id/?id=250561728
https://crt.id/?id=250561731

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Francisco Partners acquires Comodo certificate authority business

Re: Acquisition policy (was: Francisco Partners acquires Comodo certificate authority business)

Re: Discrepancy in Included CAs and Included CA Certificates List

Discrepancy in Included CAs and Included CA Certificates List

Re: Incident report - ROCA fingerprints in certificates issued by Comodo CA (was Re: RSA key generation vulnerability in Infineon firmware)

Re: Incident report - ROCA fingerprints in certificates issued by Comodo CA (was Re: RSA key generation vulnerability in Infineon firmware)

6 matches

Site Navigation

Mail list logo

Footer information