They are working on the issue and preparing a report.
From: Eric Mill [mailto:e...@konklone.com]
Sent: Saturday, August 12, 2017 9:03 PM
To: Ben Wilson
Cc: Alex Gaynor ; Jonathan Rudenberg
;
If they're not going to revoke within 24 hours and willingly violate that
part of the policy, I would at least expect them to, within that 24 hours,
produce a description of why this happened, what they're doing to fix it,
and when they expect the certificates to be replaced (along with an
We’ll look into these on Monday and get back to you.
From: Ryan Sleevi [mailto:r...@sleevi.com]
Sent: Saturday, August 12, 2017 8:56 PM
To: Ben Wilson
Cc: Jonathan Rudenberg ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re:
I’ve found 54 additional unexpired unrevoked certificates that are known to CT
and trusted by NSS containing dnsNames that are invalid. The errors include
invalid characters, internal names, and wildcards in the wrong position.
The full list is here: https://misissued.com/batch/8/
There are a
Do you have an estimate on when you can provide an explanation to the
community about how/why this happened, how many certificates it affected,
and what steps DigiCert is taking to prevent these issues in the future? Do
you have details about why DigiCert failed to detect these, and what steps
The CTJ one was issued in 2013 and is a five year cert (which was also
prohibited under the BRs at that time_. It should have been revoked much
earlier, of course.
-Original Message-
From: dev-security-policy
On Fri, Aug 11, 2017 at 5:20 PM, Matthew Hardeman via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> If one integrates a project like certlint/cablint into the cert issuance
> pipeline, one suddenly takes on supplemental responsibility for certlint's
> bugs or changes.
>
Congratulations on finding something not caught by certlint. It turns
out that cabtlint does zero checks for reserved IPs. Something else
for my TODO list.
On Sat, Aug 12, 2017 at 6:52 PM, Jonathan Rudenberg via
dev-security-policy wrote:
> Baseline
Thanks. We've sent an email to the operators of the first two CAs (TI Trust
Technologies and Cybertrust Japan) that they need to revoke those certificates.
Thanks again,
Ben
-Original Message-
From: dev-security-policy
Baseline Requirements section 7.1.4.2.1 prohibits ipAddress SANs from
containing IANA reserved IP addresses and any certificates containing them
should have been revoked by 2016-10-01.
There are seven unexpired unrevoked certificates that are known to CT and
trusted by NSS containing reserved
One good thing we should be able to hope for from a change in ownership even if
the personnel and equipment are the same or a great deal in common: improved
management oversight. In my view the most worrying underlying problem at
Symantec was the inadequate oversight. Senior management at the
Andrew.
Thank you for the review, comments and questions on TrustCor's policy
documents.
We are in the process of reviewing your comments and formulating a response to
each. We will provide our response and updates before EOB Tuesday, August
15th, published to this discussion list.
Have
Steve,
Thank you for responding relatively promptly (at least as compared to previous
Symantec responses) to Devon's questions.
However, these responses seem to imply that a side effect of the sale *is* to
skirt the remediation requirements imposed by Google and Mozilla.
In particular, the
Andrew.
Thank you for the review, comments and questions on TrustCor's policy
documents.
We are in the process of reviewing your comments and formulating a response to
each. We will provide our response and updates before EOB Tuesday, August
15th, published to this discussion list.
Have
14 matches
Mail list logo