On 9/4/2016 02:04, Eddy Nigg wrote:
> On 09/02/2016 07:02 PM, Nick Lamb wrote:
>> On Friday, 2 September 2016 08:50:02 UTC+1, Eddy Nigg wrote:
>>> Lets speak about relying parties - how does this bug affect you?
>> As a relying party I am entitled to assume that there is no more than
>> one
BRs require revocation within 24 hours of notice. It's a terrible timeline but
one the browsers have strictly enforced for even wide spread deployments.
> On Sep 6, 2016, at 4:30 PM, Steve Medin wrote:
>
> We have become aware of this certificate and its key
I updated https://bugzilla.mozilla.org/show_bug.cgi?id=1299579#c9
with:
""
... here is the approach that we plan to take:
We will add the "Hongkong Post e-Cert CA 1 - 10" intermediate cert to OneCRL at
the end of October.
Please replace all of the SSL certs chaining up to this intermediate cert
We have become aware of this certificate and its key compromise, thank you
for this information. We are contacting the owner to understand impact to
the deployed devices, but with clear intent to revoke. We will provide
updates while we make progress.
Kind regards,
Steven Medin
PKI Policy
On 06/09/2016 19:49, Jonathan Rudenberg wrote:
On Sep 5, 2016, at 16:25, hanyuwe...@gmail.com wrote:
I thought Wosign's report is not very convincible. The bug of subdomain have
existed for a long time and it made me feel it is a feature not a bug. It's not
a secret among the admin of
On 01 Sep 2016, at 18:00, Ryan Sleevi wrote:
>
> Incident 2: July, 2016 - At least 1 backdated SHA-1 certificate (was this
> the only one? I wasn't clear from
> https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/gksYkOTLCwAJ
>
>
On 05/09/16 23:58, Peter Bowen wrote:
> 1) Should any action be taken against the operators of these CAs due
> to the incidents listed?
>
> My view is that the correct answer is "no, unless it is demonstrated
> that the CA operator had knowledge of undisclosed incidents", as I
> believe that the
On 06/09/16 18:25, Kyle Hamilton wrote:
> Aruba chose not to notify GeoTrust that it needed to be revoked due to
> compromised private key. I am notifying because I believe it violates
> the Basic Requirements for someone other than the identified subject to
> possess the private key for a
Hi vfbsilva,
On 05/09/16 19:28, vfbsi...@gmail.com wrote:
> Howdy, I need to deploy Thunderbird to all users of my company. We
> use a set of CA certificate which are not registered in Mozzila as of
> the current moment. We need that upon creation of cert.db on users
> home our chain whose files
Hi Percy,
On 06/09/16 16:46, Percy wrote:
> Percy Alpha; Researcher on Internet security and censorship in China
> http://percya.com ; CA related stuff: Broke the news on China's large
> scale MITM of Github in 2013, iCloud, Outlook, Yahoo in 2014; victim
> of Great Cannon (hijacking HTTP
On Tue, 6 Sep 2016, Kyle Hamilton wrote:
That seems unlikely to me (in that browsers don't really keep a server
cert database).
Has that changed? I talked with Dan Veditz (at Mozilla) around 5 years
ago regarding the fact that NSS had told me of duplicate serial numbers
being issued by a
> On Sep 5, 2016, at 16:25, hanyuwe...@gmail.com wrote:
>
> I thought Wosign's report is not very convincible. The bug of subdomain have
> existed for a long time and it made me feel it is a feature not a bug. It's
> not a secret among the admin of personal or small sites. I am not very
>
On 9/6/2016 04:59, Ben Laurie wrote:
> On 1 September 2016 at 11:29, Peter Gutmann wrote:
>> Rob Stradling writes:
>>
I guess it makes them easy to revoke, if a single revocation can kill 313
certs at once.
>>> That's true.
>> Hey,
As far as I know, GeoTrust is not at fault here. They just signed this
(domain validated) certificate, and I don't know if they've been
notified of it before. That said, I don't have GeoTrust's contact info,
and I'm presuming that someone here does.
Information here comes from
Howdy, I need to deploy Thunderbird to all users of my company. We use a set of
CA certificate which are not registered in Mozzila as of the current moment. We
need that upon creation of cert.db on users home our chain whose files are
presented here:
On Saturday, September 3, 2016 at 1:31:17 PM UTC-4, Andy Ligg wrote:
> You are completely wrong!
>
> StartCom not only have office in Israel and in China, but also have
> office in UK, welcome to visit our UK office: T05, Castlemead, Lower
> Castle Street, Bristol, BS1 3AG, UK.
Thanks for
Hello,
First of all let me state that I am in no way involved in the operation of
a certificate authority, nor am I involved in setting CA policy for any
organisation; I am merely an interested observer. I am a user of Mozillas'
trust store, both directly through Firefox and Thunderbird, and
For page 19 of the report, I have one question: If the subscriber MUST transfer
the payment from his company bank account, why subscriber fake the company seal
as figure 20?
And from figure 21's information, one fraud company transfered the payment from
alipay, NOT his company bank!
在
Hi,
section 1.4. Impact Analytics in the report contains a list of 72
certificates, for which the domain validation was done on a high port.
On 2015-04-20 I have obtained a certificate for a domain name that I
validated using port 8080 but that certificate is not listed in the
report. This is
I thought Wosign's report is not very convincible. The bug of subdomain have
existed for a long time and it made me feel it is a feature not a bug. It's not
a secret among the admin of personal or small sites. I am not very similar to
CA stuff that time,just a subscriber of Wosign's free
On 06/09/2016 18:15, Ryan Hurst wrote:
On Tuesday, September 6, 2016 at 7:54:14 AM UTC-7, Jakob Bohm wrote:
On 06/09/2016 16:43, Martin Rublik wrote:
On Tue, Sep 6, 2016 at 2:16 PM, Jakob Bohm wrote:
Here are a list of software where I have personally observed bad
On 09/05/2016 10:54 AM, Gervase Markham wrote:
Hi Eddy,
On 04/09/16 09:51, Eddy Nigg wrote:
I don't want to extend this discussion unnecessarily, but as a side note
you don't know which agreements this employee has signed with StartCom
and/or WoSign and hence you can't make a judgement on it
On Tuesday, September 6, 2016 at 7:54:14 AM UTC-7, Jakob Bohm wrote:
> On 06/09/2016 16:43, Martin Rublik wrote:
> > On Tue, Sep 6, 2016 at 2:16 PM, Jakob Bohm wrote:
> >
> >> Here are a list of software where I have personally observed bad OCSP
> >> stapling support:
> >>
Percy Alpha; Researcher on Internet security and censorship in China
http://percya.com ; CA related stuff: Broke the news on China's large scale
MITM of Github in 2013, iCloud, Outlook, Yahoo in 2014; victim of Great Cannon
(hijacking HTTP request) DDOS of the website and Github in 2015; called
Yeah, it's almost impossible to distrust all WoSign authority manually from
keychain access. WoSign has 28 root certs or intermediate certs signed by
other CAs, listed below. (List from
https://github.com/chengr28/RevokeChinaCerts/wiki/ReadMe_Online#about-certificates
)
Certification Authority of
While we try and evaluate contributions to this forum based on their
content rather than on who posted them, the issue has been raised that
it is sometimes useful to know where someone is coming from, who they
represent, and what experience they have.
Therefore, I have started an entirely
Nick Lamb writes:
>On Tuesday, 6 September 2016 15:11:00 UTC+1, Peter Gutmann wrote:
>> Why would a public CA even need cross-certification from other CAs?
>
>Maybe this question has some subtlety to it that I'm missing?
OK, I really meant "that many other CAs". To take
On Tuesday, 6 September 2016 15:11:00 UTC+1, Peter Gutmann wrote:
> Why would a public CA even need cross-certification from other CAs?
Maybe this question has some subtlety to it that I'm missing?
Acceptance into root trust stores is slow. Glacial in some cases. Mozilla has a
published
On 06/09/2016 16:43, Martin Rublik wrote:
On Tue, Sep 6, 2016 at 2:16 PM, Jakob Bohm wrote:
Here are a list of software where I have personally observed bad OCSP
stapling support:
IIS for Windows Server 2008 (latest IIS supporting pure 32 bit
configurations): No
On Tue, Sep 6, 2016 at 2:16 PM, Jakob Bohm wrote:
> Here are a list of software where I have personally observed bad OCSP
> stapling support:
>
> IIS for Windows Server 2008 (latest IIS supporting pure 32 bit
> configurations): No obvious (if any) OCSP stapling support.
There could be multiple reasons for xcerts from internal policies to controlled
trust stores. It depends on the root and the company. Part of the reason the
FPKI has xcerts is for both those reasons. Companies may only want to use their
root. They may not want to rely on the trust bundle
On 06/09/2016 16:10, Peter Gutmann wrote:
Peter Bowen writes:
In addition to the direct impact, I note that WoSign is the subject of cross-
signatures from a number of other CAs that chain back to roots in the Mozilla
program (or were in the program).
This is incredible,
On 06/09/16 15:10, Peter Gutmann wrote:
> Why would a public CA even need cross-certification from other CAs?
To inherit trust on legacy platforms that don't have an automatic root
update mechanism.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
On 06/09/2016 15:58, Peter Gutmann wrote:
Matt Palmer writes:
Our of curiosity, is anyone keeping a tally of the number of times WoSign has
said, "yep, they're all logged now", only to have more unlogged certificates
turn up? This is starting to feel like a bit of a
On 06/09/2016 15:37, Kurt Roeckx wrote:
On 2016-09-06 14:16, Jakob Bohm wrote:
On 06/09/2016 10:25, Kurt Roeckx wrote:
If you think there is something we can do in OpenSSL to improve this,
please let us know.
Here are a list of software where I have personally observed bad OCSP
stapling
Peter Bowen writes:
>In addition to the direct impact, I note that WoSign is the subject of cross-
>signatures from a number of other CAs that chain back to roots in the Mozilla
>program (or were in the program).
This is incredible, it's like a hydra. Do the BRs say anything
Matt Palmer writes:
>Our of curiosity, is anyone keeping a tally of the number of times WoSign has
>said, "yep, they're all logged now", only to have more unlogged certificates
>turn up? This is starting to feel like a bit of a repeat of DigiNotar,
We apologise for the
On 2016-09-06 14:16, Jakob Bohm wrote:
On 06/09/2016 10:25, Kurt Roeckx wrote:
If you think there is something we can do in OpenSSL to improve this,
please let us know.
Here are a list of software where I have personally observed bad OCSP
stapling support:
OpenSSL 1.0.x itself: There are
On 06/09/2016 10:25, Kurt Roeckx wrote:
On 2016-09-06 10:13, Nick Lamb wrote:
Quality of implementation for OCSP stapling seems to remain poor in at
least apache and nginx, two of the most popular servers. Apache's in
particular gives me that OpenSSL "We read this standards document and
Hi Peter. Since you mentioned Comodo's cross-certification of the
"Certification Authority of WoSign" root, we thought we should respond...
On 05/09/16 23:58, Peter Bowen wrote:
> Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification Authority
> of WoSign by /C=US/ST=UT/L=Salt Lake
Thanks for your comment.
For Github case:
1. what happened: issued the certificate that included un-validated domain,
and found out this mistake in the next day review, and revoked this
certificate.
2. why this happened: this is bug as you described, and due to many orders need
to review
On 2016-09-05 22:37, Percy wrote:
In page 11, you mentioned that "System blocked many illegal request every day, the
following screen shot is the reject order log", in which you attached a log with
Google, Microsoft, QQ domains. Those domains are rejected because of the top domain
whitelist.
On 2016-09-06 10:13, Nick Lamb wrote:
Quality of implementation for OCSP stapling seems to remain poor in at least apache and
nginx, two of the most popular servers. Apache's in particular gives me that OpenSSL
"We read this standards document and implemented everything in it as a series of
On Tuesday, 6 September 2016 08:31:33 UTC+1, Kurt Roeckx wrote:
> I would really like to see OCSP stapling as mandatory. There currently
> only seem to be around 25% of the servers that do it, and the progress
> seem to be very slow. I'm wondering if there is something we can do so
> that it's
On 2016-09-05 17:55, Jakob Bohm wrote:
Indeed, I have found that a number of common web server implementations
simply lack the ability to do OCSP stapling at all.
I would really like to see OCSP stapling as mandatory. There currently
only seem to be around 25% of the servers that do it, and
On 06/09/16 07:20, Henri Sivonen wrote:
> In the table on page 13, line 6 looks different from the others.
> Should that line be in the table on page 14 instead?
Also line 2?
Gerv
___
dev-security-policy mailing list
On Sun, Sep 4, 2016 at 12:49 PM, Richard Wang wrote:
> We finished the investigation and released the incidents report today:
> https://www.wosign.com/report/wosign_incidents_report_09042016.pdf
>
> This report has 20 pages, please let me if you still have any questions,
>
47 matches
Mail list logo