Re: Certificate incident: private key leaked for wildcard certificate for *.sandbox.operations.dynamics.com
On Fri, Dec 08, 2017 at 11:55:46PM +0100, Hanno Böck via dev-security-policy wrote: > So I wonder: If a CA signs an intermediate - are they responsible > making sure that reports brought to the subca are properly handled? My first reaction would be if you sign it, you take responsibility. That would be either handling it yourself, or making sure that it's handled properly by the intermediate. But it's not obvious to me who to contact to revoke a given certifiate, and it would be really useful that given a certificate it would be obvious what to do, who to contact, to get it revoked. Kurt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Certificate incident: private key leaked for wildcard certificate for *.sandbox.operations.dynamics.com
On Fri, Dec 8, 2017 at 3:55 PM, Hanno Böck via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > So I wonder: If a CA signs an intermediate - are they responsible > making sure that reports brought to the subca are properly handled? > > The root CA is ultimately responsible for subordinate CAs it has signed. That's why I asked DigiCert for an incident report via https://bugzilla.mozilla.org/show_bug.cgi?id=1424305 Having said that, I do think there are a few opportunities for improvement here. DigiCert couldn't directly revoke the compromised certificates, so I think it makes sense to add problem reporting mechanisms for subordinate CAs to CCADB when they differ from the root. That would also help when the problem reporting mechanism is buried in the CPS or when a general email address is published but there is no indication that it is the one the CA monitors 24x7 for certificate problem reports (both issues apply here). Wayne ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Certificate incident: private key leaked for wildcard certificate for *.sandbox.operations.dynamics.com
Hi, I guess this is of interest to the members of this list: https://www.golem.de/news/microsoft-dynamics-365-wildcard-certificate-with-a-private-key-for-everyone-1712-131544.html https://medium.com/matthias-gliwka/microsoft-leaks-tls-private-key-for-cloud-erp-product-10b56f7d648 tl;dr Microsoft used a shared wildcard certificate in a cloud ERP product (Dynamics 365 for Operations). In the "sandbox" version customers were allowed to log in via RDP and thus it was possible to extract the private key. The finder of this bug tried several months unsuccessfully to inform Microsoft about this issue. Eventually he got in contact with me, I reported it to Mozilla's bugzilla and it was sorted out. https://bugzilla.mozilla.org/show_bug.cgi?id=1421820 The certificate was issued indirectly by DigiCert. This raises imho again an interesting issue about Sub-CAs. The BRs say that after a private key compromise a cert shall be revoked within 24 hours. This clearly didn't happen. While it is probably no big deal if it takes sometimes a bit longer, in this case it was several months. So I wonder: If a CA signs an intermediate - are they responsible making sure that reports brought to the subca are properly handled? -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy