Re: Leaking private keys through web servers

On 14/07/2017 21:04, Ryan Sleevi wrote: On Fri, Jul 14, 2017 at 2:07 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: That's my point. The current situation is distinct from weak keys, and we shouldn't sacrifice the weak keys BR to make room for a

Re: Leaking private keys through web servers

On Fri, Jul 14, 2017 at 2:07 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > That's my point. The current situation is distinct from weak keys, and > we shouldn't sacrifice the weak keys BR to make room for a compromised > keys BR. But a weak key is

Re: Leaking private keys through web servers

On 14/07/2017 18:19, Ryan Sleevi wrote: On Fri, Jul 14, 2017 at 11:11 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 14/07/2017 15:53, Ryan Sleevi wrote: On Fri, Jul 14, 2017 at 1:29 AM, Jakob Bohm via dev-security-policy <

Re: Leaking private keys through web servers

On Fri, Jul 14, 2017 at 11:11 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 14/07/2017 15:53, Ryan Sleevi wrote: > >> On Fri, Jul 14, 2017 at 1:29 AM, Jakob Bohm via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >>> >>> But

Re: Leaking private keys through web servers

On 14/07/2017 16:07, Alex Gaynor wrote: On Fri, Jul 14, 2017 at 10:03 AM, Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On Fri, Jul 14, 2017 at 9:44 AM, Hanno Böck via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: ... >> ...

Re: Leaking private keys through web servers

On 14/07/2017 15:53, Ryan Sleevi wrote: On Fri, Jul 14, 2017 at 1:29 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: But that doesn't clearly include keys that are weak for other reasons, such as a 512 bit RSA key with an exponent of 4 (as an extreme

Re: Leaking private keys through web servers

On Fri, Jul 14, 2017 at 10:03 AM, Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Fri, Jul 14, 2017 at 9:44 AM, Hanno Böck via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > So there are several questions and possible

Re: Leaking private keys through web servers

On Fri, Jul 14, 2017 at 9:44 AM, Hanno Böck via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > So there are several questions and possible situations here. > > I think it's relatively clear that a CA could prevent reissuance of > certs if they know about a key compromise.

Re: Leaking private keys through web servers

On Fri, Jul 14, 2017 at 1:29 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > But that doesn't clearly include keys that are weak for other reasons, > such as a 512 bit RSA key with an exponent of 4 (as an extreme example). > Yes. Because that's clearly

Re: Leaking private keys through web servers

On Wed, 12 Jul 2017 10:47:51 -0400 Ryan Sleevi wrote: > One challenge to consider is how this is quantified. Obviously, if you > reported to Comodo the issue with the key, and then they issued > another certificate with that key, arguably that's something Comodo > should have

Re: WoSign new system passed Cure 53 system security audit

On Friday, 14 July 2017 04:44:39 UTC+2, Richard Wang wrote: > Hi Peter, > > Thanks for your guesses. > Buy no those issues in our system. > > > Best Regards, > > Richard That's what you say. But you've lied before. :-( So sorry, but that won't go anywhere near regaining trust. You'll have