On 07/19/2017 06:03 PM, Tom wrote:
Following that discovery, I've search for odd (invalid?) DNS names.
Here is the list of certificated I've found, it may overlap some
discovery already reported.
If I'm correct, theses certificate are not revoked, not expired, and
probably trusted by Mozilla
Thank you, Charles and Tom, for bringing this to the forefront. We have
contacted the cross-signed partner and asked for an explanation. We've also
demanded revocation within 24 hours and a full scan to determine whether any
other certificates exist.
Jeremy
-Original Message-
From:
On 07/19/2017 06:03 PM, Tom wrote:
Following that discovery, I've search for odd (invalid?) DNS names.
Here is the list of certificated I've found, it may overlap some
discovery already reported.
If I'm correct, theses certificate are not revoked, not expired, and
probably trusted by Mozilla
On 07/19/2017 05:10 AM, Aaron Wu wrote:
- Tunisian Server Certificate Authority - TunServerCA2
https://crt.sh/?id=79470561=cablint is a certificate for the
internal name 'adv-mail.calladvance.local' issued by this CA with a
notBefore of 2017.
___
Following that discovery, I've search for odd (invalid?) DNS names.
Here is the list of certificated I've found, it may overlap some
discovery already reported.
If I'm correct, theses certificate are not revoked, not expired, and
probably trusted by Mozilla (crt.sh issuer are marked trusted by
On Wed, Jul 19, 2017 at 11:31 AM, Steve Medin via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> > -Original Message-
> > From: dev-security-policy [mailto:dev-security-policy-
> > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of
> > Jakob Bohm via
On 7/19/2017 8:31 AM, Steve Medin wrote:
>> -Original Message-
>> From: dev-security-policy [mailto:dev-security-policy-
>> bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of
>> Jakob Bohm via dev-security-policy
>> Sent: Tuesday, July 18, 2017 4:39 PM
>> To:
On 19/07/2017 17:31, Steve Medin wrote:
-Original Message-
From: dev-security-policy [mailto:dev-security-policy-
bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of
Jakob Bohm via dev-security-policy
Sent: Tuesday, July 18, 2017 4:39 PM
To:
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of
> Jakob Bohm via dev-security-policy
> Sent: Tuesday, July 18, 2017 4:39 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re:
Hi Steve,
Thank you for this update on Symantec's progress. I have a few follow-up
questions:
1) Did any of the RFP respondents indicate that they could provide the
Managed
CA solution in the timeframe originally proposed by Google? (August 8th)
Alternatively, is December 1st, 2017 the
On 19/07/17 15:31, Jeremy Rowley via dev-security-policy wrote:
You should also filter out expired certs as they aren't usable.
I've added a 2nd tab that just shows unexpired certs. I'll also add a
column to track the revocation status of each of these certs.
I've left the expired certs in
Hi Alex. This is about issuance (mal)practices, so therefore I didn't
omit certs that are already revoked.
On 19/07/17 15:29, Alex Gaynor via dev-security-policy wrote:
I think there might be a bug in your SQL, one of the offending certs is
issued by "C=US, O=U.S. Government, OU=Department of
You should also filter out expired certs as they aren't usable.
> On Jul 19, 2017, at 8:30 AM, Alex Gaynor via dev-security-policy
> wrote:
>
> I think there might be a bug in your SQL, one of the offending certs is
> issued by "C=US, O=U.S. Government,
I think there might be a bug in your SQL, one of the offending certs is
issued by "C=US, O=U.S. Government, OU=Department of Homeland Security,
OU=Certification Authorities, OU=DHS CA4", who are revoked using OneCRL.
Alex
On Wed, Jul 19, 2017 at 10:08 AM, Rob Stradling via dev-security-policy <
Hanno Böck via dev-security-policy
writes:
>More dotdot-certificates:
Given how widespread (meaning from different CAs) these are, is there some
quirk of a widely-used resolver library that allows them? I've done a bit of
impromptu testing of various
On 18/07/17 16:57, Hanno Böck via dev-security-policy wrote:
(Due to limitations in the search methodology - scraping crt.sh
search results and looping through tlds - I only searched for ..tld. It
would certainly be valuable to search further.)
Here's a report of all "double dot" certs known
Morning all,
I'd like to report the following instance of miss-issuance:
All of the following contain a URI in a dNSName SAN entry. These
certificates are neither revoked, nor expired, and all are from CAs
currently trusted by the Mozilla Root Program.
https://crt.sh/?id=124094761=cablint
On 07/19/17 05:10, Aaron Wu wrote:
- Tunisian Server Certificate Authority - TunServerCA2
https://crt.sh/?id=21813439 is a certificate issued by this CA which has
a domain name in the common name but only an email address in the SAN.
(The certificate has TLS server/client usage EKUs.)
This request from the Government of Tunisia is to include the “Tunisian Root
Certificate Authority - TunRootCA2” root certificate, and enable the Websites
trust bit.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1233645
BR Self Assessment is
On Tuesday, 18 July 2017 20:29:50 UTC+1, Jeremy Rowley wrote:
> Some of these certs are really old. Is there a reason people were using
> double dot names? Are they all mistakes in the certificate request or is
> there some logic behind them?
Unless I see good evidence to the contrary I will
20 matches
Mail list logo