Re: DRAFT January 2020 CA Communication
On 1/7/20 7:00 PM, Wayne Thayer wrote: Please note that the responses for questions 2, 3, and 5 do not yet properly display the date fields that were recently added. This has been fixed, so now the responses to questions 2, 3, and 5 are provided in one report each. Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Policy Module Ownership
This is a sad loss for the community, but thank you for everything you've done these past years! -Paul On Wed, Jan 22, 2020 at 6:10 AM Wayne Thayer via dev-security-policy wrote: > > I have decided to leave Mozilla, effective this Friday. > > I expect Mozilla to hire a replacement, but that will of course take time. > In the interim, I will remain the CA Certificate Policy Module Owner and > contribute to the best of my ability in a volunteer capacity. > > Please feel free to contact me or Kathleen with any questions or concerns. > > I want to take this opportunity to once again thank everyone for your > support and contributions to this amazing community. > > - Wayne > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Policy Module Ownership
I have decided to leave Mozilla, effective this Friday. I expect Mozilla to hire a replacement, but that will of course take time. In the interim, I will remain the CA Certificate Policy Module Owner and contribute to the best of my ability in a volunteer capacity. Please feel free to contact me or Kathleen with any questions or concerns. I want to take this opportunity to once again thank everyone for your support and contributions to this amazing community. - Wayne ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Audit Reminder Email Summary
Forwarded Message Subject:Summary of January 2020 Audit Reminder Emails Date: Tue, 21 Jan 2020 20:00:22 + (GMT) From: Mozilla CA Program Manager To: kwil...@mozilla.com Mozilla: Audit Reminder CA Owner: Internet Security Research Group (ISRG) Root Certificates: ISRG Root X1 Standard Audit: https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=224233 Standard Audit Period End Date: 2018-11-30 BR Audit: https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=224234 BR Audit Period End Date: 2018-11-30 CA Comments: null Mozilla: Audit Reminder CA Owner: Krajowa Izba Rozliczeniowa S.A. (KIR) Root Certificates: SZAFIR ROOT CA2 Standard Audit: https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=226440 Standard Audit Period End Date: 2018-12-18 BR Audit: https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=226441 BR Audit Period End Date: 2018-12-18 CA Comments: null Mozilla: Audit Reminder CA Owner: Buypass Root Certificates: Buypass Class 2 Root CA Buypass Class 3 Root CA Standard Audit: https://www.buypass.com/the-company/certification/_/attachment/download/2db33e7e-5528-4cd4-83fa-50e3873f039e:b106edfa18530c142d3d0e2a899098244472bba6/ETS%20018.pdf Standard Audit Period End Date: 2018-10-31 BR Audit: https://www.buypass.com/the-company/certification/_/attachment/download/2db33e7e-5528-4cd4-83fa-50e3873f039e:b106edfa18530c142d3d0e2a899098244472bba6/ETS%20018.pdf BR Audit Period End Date: 2018-10-31 EV Audit: https://www.buypass.com/the-company/certification/_/attachment/download/2db33e7e-5528-4cd4-83fa-50e3873f039e:b106edfa18530c142d3d0e2a899098244472bba6/ETS%20018.pdf EV Audit Period End Date: 2018-10-31 CA Comments: null Mozilla: Audit Reminder CA Owner: Dhimyotis / Certigna Root Certificates: Certigna Certigna Root CA Standard Audit: https://www.lsti-certification.fr/images/23-_1373_AT_V3_0.pdf Standard Audit Period End Date: 2018-11-23 BR Audit: https://www.lsti-certification.fr/images/23-_1373_AT_V3_0.pdf BR Audit Period End Date: 2018-11-23 CA Comments: null Mozilla: Audit Reminder CA Owner: DigiCert Root Certificates: Symantec Class 1 Public Primary Certification Authority - G4 Symantec Class 2 Public Primary Certification Authority - G4 Symantec Class 2 Public Primary Certification Authority - G6 GeoTrust Global CA GeoTrust Primary Certification Authority GeoTrust Primary Certification Authority - G2 GeoTrust Primary Certification Authority - G3 GeoTrust Universal CA GeoTrust Universal CA 2 thawte Primary Root CA thawte Primary Root CA - G2 thawte Primary Root CA - G3 VeriSign Class 1 Public Primary Certification Authority - G3 VeriSign Class 2 Public Primary Certification Authority - G3 VeriSign Class 3 Public Primary Certification Authority - G3 VeriSign Class 3 Public Primary Certification Authority - G4 VeriSign Class 3 Public Primary Certification Authority - G5 VeriSign Universal Root Certification Authority Symantec Class 1 Public Primary Certification Authority - G6 Standard Audit: https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=224491 Standard Audit Period End Date: 2018-10-31 BR Audit: BR Audit Period End Date: BR Audit: https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=224492 BR Audit Period End Date: 2018-10-31 EV Audit: EV Audit Period End Date: EV Audit: https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=224493 EV Audit Period End Date: 2018-10-31 CA Comments: null Mozilla: Audit Reminder CA Owner: Government of Hong Kong (SAR), Hongkong Post, Certizen Root Certificates: Hongkong Post Root CA 3 Standard Audit: https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=225877 Standard Audit Period End Date: 2018-12-31 BR Audit: https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=225878 BR Audit Period End Date: 2018-12-31 EV Audit: https://www.ecert.gov.hk/ev/Webtrust%20EV%20SSL%20Report%2020181219_FINAL%20(with%20Management%20Assertion%20Letter).pdf EV Audit Period End Date: 2018-11-30 CA Comments: null Mozilla: Overdue Audit Statements CA Owner: SwissSign AG Root Certificates: SwissSign Platinum CA - G2** SwissSign Silver CA - G2** ** Audit Case in the Common CA Database is under review for this root certificate. Standard Audit: https://it-tuv.com/wp-content/uploads/2018/12/AA2018122001_Audit_Attestation_TA_CERT__SwissSign_Platinum_G2.pdf Standard Audit Period End Date: 2018-09-28 Standard Audit: https://it-tuv.com/wp-content/uploads/2018/12/AA2018122003_Audit_Attestation_TA_CERT__SwissSign_Silver_G2.pdf Standard Audit Period End Date: 2018-09-28 BR Audit: BR Audit Period End Date: BR Audit: https://it-tuv.com/wp-content/uploads/2018/12/AA2018122003_Audit_Attestation_TA_CERT__SwissSign_Silver_G2.pdf BR Audit Period End Date:
Re: Entrust-issued certificate with compromised private key.
On Tuesday, 21 January 2020 14:07:49 UTC-5, Benjamin Seidenberg wrote: > > One - which appears to remain valid at time of writing - is an OV > > certificate for "routerlogin.com" and variants, which was issued to Netgear > > by Entrust, https://crt.sh/?id=1955992027 > > > > Based on this tweet > (https://twitter.com/FiloSottile/status/1219147543667453953?s=19) from > 2020-01-20 06:39 UTC, it appears that Entrust failed to revoke this within 24 > of hours of "receipt of the Certificate Problem Report", not revoking until > Jan 21 15:21:36 2020 GMT. > > Will Entrust be filing an incident report for this? > > (I also submitted a report separately, they revoked 7 minutes shy of 24 hours > after mine, shortly after this note to the list). We will be posting an incident report shortly once we complete our investigation. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Entrust-issued certificate with compromised private key.
> One - which appears to remain valid at time of writing - is an OV certificate > for "routerlogin.com" and variants, which was issued to Netgear by Entrust, > https://crt.sh/?id=1955992027 > Based on this tweet (https://twitter.com/FiloSottile/status/1219147543667453953?s=19) from 2020-01-20 06:39 UTC, it appears that Entrust failed to revoke this within 24 of hours of "receipt of the Certificate Problem Report", not revoking until Jan 21 15:21:36 2020 GMT. Will Entrust be filing an incident report for this? (I also submitted a report separately, they revoked 7 minutes shy of 24 hours after mine, shortly after this note to the list). ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Entrust-issued certificate with compromised private key.
On Tuesday, 21 January 2020 09:43:53 UTC-5, teg...@gmail.com wrote: > About 24 hours ago, this gist was published to Github: > > https://gist.github.com/nstarke/a611a19aab433555e91c656fe1f030a9 > > It details two publicly-trusted certificates whose private keys are present > in publicly-available Netgear firmware images. > > One - which appears to remain valid at time of writing - is an OV certificate > for "routerlogin.com" and variants, which was issued to Netgear by Entrust, > https://crt.sh/?id=1955992027 > > = > > The other, issued by Sectigo/Comodo for "mini-app.funjsq.com" ( > https://crt.sh/?id=615809732 ) seems to have been revoked not long after > publishing. > > Although it has been revoked, I am still personally curious as to how and why > Netgear came to be in possession of that latter certificate's private keys in > the first place. If funjsq knowingly provided it to Netgear, a closer look at > other funjsq-related certificates might be in order. (And if they did not, > obviously, there was a deeper and more serious failure somewhere.) > > There are a number of certificates issued for funjsq.com subdomains, from a > few different CAs: https://crt.sh/?q=funjsq.com > > One certificate, although it is expired, piqued my interest when I first saw > it: https://crt.sh/?id=325345427 for "asus-plugin.funjsq.com". This subdomain > is apparently active, though it is presently served using funjsq's wildcard > cert. > > -NK On January 20th at approximately 10:30 am AM EST, Entrust Datacard was notified by a third party regarding an exposed private key for a certificate that we had issued to one of our customers. A third party report incident report has been published here (the same link that was included in the original post to this thread): https://gist.github.com/nstarke/a611a19aab433555e91c656fe1f030a9 In accordance with our CPS, we immediately contacted the customer to notify them that the certificate must be revoked within 24 hours from the time of notification to Entrust. The certificate was revoked on January 21st at 10:24 am EST within the 24-hour time frame. Here is a CT record for the certificate in question which now shows the OCSP status as revoked: https://crt.sh/?id=1955992027 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Entrust-issued certificate with compromised private key.
About 24 hours ago, this gist was published to Github: https://gist.github.com/nstarke/a611a19aab433555e91c656fe1f030a9 It details two publicly-trusted certificates whose private keys are present in publicly-available Netgear firmware images. One - which appears to remain valid at time of writing - is an OV certificate for "routerlogin.com" and variants, which was issued to Netgear by Entrust, https://crt.sh/?id=1955992027 = The other, issued by Sectigo/Comodo for "mini-app.funjsq.com" ( https://crt.sh/?id=615809732 ) seems to have been revoked not long after publishing. Although it has been revoked, I am still personally curious as to how and why Netgear came to be in possession of that latter certificate's private keys in the first place. If funjsq knowingly provided it to Netgear, a closer look at other funjsq-related certificates might be in order. (And if they did not, obviously, there was a deeper and more serious failure somewhere.) There are a number of certificates issued for funjsq.com subdomains, from a few different CAs: https://crt.sh/?q=funjsq.com One certificate, although it is expired, piqued my interest when I first saw it: https://crt.sh/?id=325345427 for "asus-plugin.funjsq.com". This subdomain is apparently active, though it is presently served using funjsq's wildcard cert. -NK ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy