Re: Incidents involving the CA WoSign

On Tuesday, October 4, 2016 at 4:41:18 AM UTC-7, Rob Stradling wrote: > Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates > that we'd issued to WoSign: > > https://crt.sh/?id=3223853 > https://crt.sh/?id=12716343 > https://crt.sh/?id=12716433 > > See also: >

Re: Incident Report - certificate with 'sb' as a SAN:dnsName

On Tue, Oct 4, 2016 at 6:29 AM, Rob Stradling wrote: > On 04/10/16 13:18, Nick Lamb wrote: >> On Tuesday, 4 October 2016 11:14:01 UTC+1, Rob Stradling wrote: >>> Neither. I'd like to run cablint over all certs pre-issuance, but >>> unfortunately it's not practical to

Re: WoSign and StartCom: next steps

On 29/09/16 16:40, Gervase Markham wrote: > Following the publication of the recent investigative report, > representatives of Qihoo 360 and StartCom have requested a face-to-face > meeting with Mozilla. We have accepted, and that meeting will take place > next Tuesday in London. This meeting

Re: Comodo issued a certificate for an extension

On 04/10/16 14:19, Nick Lamb wrote: > That's why I proposed Mozilla might like to write this to CA/B or in > a group CA communication, because I would be astonished if WoSign and > Comodo are the only CAs to have such special "rules" that defeat the > purpose of the validation step, or if this is

Re: Incident Report - certificate with 'sb' as a SAN:dnsName

On 04/10/16 13:18, Nick Lamb wrote: > On Tuesday, 4 October 2016 11:14:01 UTC+1, Rob Stradling wrote: >> Neither. I'd like to run cablint over all certs pre-issuance, but >> unfortunately it's not practical to do this yet because 1) cablint is >> too slow and 2) there are some differences of

Re: Comodo issued a certificate for an extension

On Tuesday, 4 October 2016 12:21:47 UTC+1, Rob Stradling wrote: > When we are required (by CABForum and/or root program requirements) to > do , we will of course undertake to do . > > There are lots of s that we are already required to do. We > haven't tended to issue a separate announcement

Re: Incident Report - certificate with 'sb' as a SAN:dnsName

Hi, There seem to be more certificates of that kind that weren't mentioned in the incident report. Here's a .re / www.re certificate (expired 2015): https://crt.sh/?id=4467456 Has comodo checked its systems for other certificates of that kind? Can you provide a full list of all such

Re: Incident Report - certificate with 'sb' as a SAN:dnsName

On Tuesday, 4 October 2016 11:14:01 UTC+1, Rob Stradling wrote: > Neither. I'd like to run cablint over all certs pre-issuance, but > unfortunately it's not practical to do this yet because 1) cablint is > too slow and 2) there are some differences of opinion that have been > discussed at

Re: Incidents involving the CA WoSign

Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates that we'd issued to WoSign: https://crt.sh/?id=3223853 https://crt.sh/?id=12716343 https://crt.sh/?id=12716433 See also: https://bugzilla.mozilla.org/show_bug.cgi?id=906611#c2 On 06/09/16 11:11, Rob Stradling wrote: > Hi

Re: Comodo issued a certificate for an extension

On 03/10/16 02:23, Nick Lamb wrote: > Comodo's document never actually says that they're abolishing this "rule" as > a result of Ballot 169. It lets you choose to draw that implication, by > specifying that their current practices pre-date Ballot 169's changes, but it > never says as much.

Re: Deficiencies in the Web PKI and Mozilla's shepherding thereof, exposed by the WoSign affair

On Mon, Oct 3, 2016 at 9:44 PM, Peter Bowen wrote: > On Mon, Oct 3, 2016 at 5:24 PM, Jakob Bohm wrote: > > On 03/10/2016 20:41, Kyle Hamilton wrote: > >> WoSign is known to be cross-signed by several independent CAs (as well > as > > > >> 2. There is

Re: Comodo issued a certificate for an extension

On 02/10/16 17:49, Nick Lamb wrote: > On Sunday, 2 October 2016 11:11:34 UTC+1, Patrick Figel wrote: >> https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg04274.html > > Thanks, I too could not find this in Google Groups. That is a little > concerning as I had assumed this

Re: Incident Report - certificate with 'sb' as a SAN:dnsName

On 04/10/16 11:51, Kurt Roeckx wrote: > On Tue, Oct 04, 2016 at 11:13:21AM +0100, Rob Stradling wrote: >> On 04/10/16 07:10, Gervase Markham wrote: >>> Does Comodo run cablint over all certificates post-issuance (or >>> pre-issuance)? >> >> Neither. I'd like to run cablint over all certs

Re: Incident Report - certificate with 'sb' as a SAN:dnsName

On Tue, Oct 04, 2016 at 11:13:21AM +0100, Rob Stradling wrote: > On 04/10/16 07:10, Gervase Markham wrote: > > >> [4] https://crt.sh/?cablint=1+week > > > > This URL is a 404. > > Sorry, crt.sh is a bit under the weather right now. Someone submitted a > batch of several million certs to the

Re: Incident Report - certificate with 'sb' as a SAN:dnsName

On 04/10/16 07:10, Gervase Markham wrote: >> [4] https://crt.sh/?cablint=1+week > > This URL is a 404. Sorry, crt.sh is a bit under the weather right now. Someone submitted a batch of several million certs to the Google CT logs, and this has rather overwhelmed the replication between crt.sh's

RE: Audit requirements

Dear Erwann, My answers inline marked with *** Le jeudi 29 septembre 2016 11:45:39 UTC+2, Varga Viktor a écrit : > Dear Peter, > > I am deeply in ETSI process, so I can give info some info: > > Formerly the ETSIs are based on > > *102042 for CAs > *101456 for CAs issuing

Re: WoSign and StartCom

On 04/10/16 01:00, Ángel González wrote: > Not really. Their old roots could sign their new roots, which would > be enough to make them work on the older devices where it worked. The > cost of untrusting the old roots is probably similar to that of > adding new roots, so that the effort of

Re: Deficiencies in the Web PKI and Mozilla's shepherding thereof, exposed by the WoSign affair

Hi Kyle, On 03/10/16 19:41, Kyle Hamilton wrote: > WoSign is known to be cross-signed by several independent CAs (as well as 1 > CA which is no longer deemed to be independent). If it wished to bypass > any attempt to distrust it, all it would have to do is be cross-signed by > another CA.

Re: Incident Report - certificate with 'sb' as a SAN:dnsName

Hi Robin, Thank you for this report. On 27/09/16 02:07, Robin Alden wrote: > When we use an 'agreed-upon change to website' method to prove domain > control, we consider proof of control of 'www.' as also > proving control of '' (except where '' is a > public suffix). > We don't give any other