On Sat, Sep 9, 2017 at 1:59 PM, Andrew Ayer wrote:
> On Sat, 9 Sep 2017 13:53:52 -0700
> Peter Bowen via dev-security-policy
> wrote:
>
>> On Sat, Sep 9, 2017 at 1:50 PM, Andrew Ayer
>> wrote:
>> >
>> > drill is
Thank you for bringing this oversight to our attention. The certificate in
question has been revoked.
The original incident report from July 16 was accidentally considered closed on
the basis of a fix for our infrastructure without actually revoking the
certificate that led to the report.
I would have checked Sept 9th as Sept 8th at midnight would be the last
possible moment when the CPS could be updated and still be compliant.
> On Sep 9, 2017, at 3:33 PM, Andrew Ayer via dev-security-policy
> wrote:
>
> On Fri, 8 Sep 2017 15:22:52 -0700
On Sat, 9 Sep 2017 13:53:52 -0700
Peter Bowen via dev-security-policy
wrote:
> On Sat, Sep 9, 2017 at 1:50 PM, Andrew Ayer
> wrote:
> >
> > drill is buggy and insecure. Obviously, such implementations can
> > be found. Note that
On Sat, Sep 9, 2017 at 1:50 PM, Andrew Ayer wrote:
>
> drill is buggy and insecure. Obviously, such implementations can
> be found. Note that drill is just a "debugging/query" tool, not a
> resolver you would actually use in production. You'll find that the
>
On Sat, Sep 9, 2017 at 11:50 AM, Andrew Ayer wrote:
> On Sat, 9 Sep 2017 08:49:01 -0700
> Peter Bowen via dev-security-policy
> wrote:
>
>> On Sat, Sep 9, 2017 at 3:57 AM, Jonathan Rudenberg
>> wrote:
>> >
>> >>
Hi,
A while ago I tested how some CAs would react to certificate requests
with debian weak keys.
I was able to get a certificate from Let's Encrypt with a debian weak
key. Here is it:
https://crt.sh/?id=173588030
I reported this to Let's Encrypt. They told me that they are aware they
weren't
On Fri, 8 Sep 2017 15:22:52 -0700 (PDT)
Andy Warner via dev-security-policy
wrote:
> Google Trust Services published updated CP & CPS versions earlier
> today covering CAA checking. I'd suggest checking all CAs again
> tomorrow. Given the range of timezones
On Sat, 9 Sep 2017 06:57:39 -0400
Jonathan Rudenberg via dev-security-policy
wrote:
>
> > On Sep 9, 2017, at 06:19, Peter Bowen via dev-security-policy
> > wrote:
> >
> > In all three of these cases, the "domain's
On Sat, Sep 9, 2017 at 3:57 AM, Jonathan Rudenberg
wrote:
>
>> On Sep 9, 2017, at 06:19, Peter Bowen via dev-security-policy
>> wrote:
>>
>> In all three of these cases, the "domain's zone does not have a DNSSEC
>> validation chain
On Friday, September 8, 2017 at 5:57:44 PM UTC-4, Jeremy Rowley wrote:
> Hi Andrew,
>
> I'm not certain how to update the previous Mozilla response with respect to
> CAA, but we added the following as authorized CAA records:
> Digicert.com
> *.digicert
> Digicert.net.jp
> Cybertrust.net.jp
>
>
> On Sep 9, 2017, at 06:19, Peter Bowen via dev-security-policy
> wrote:
>
> In all three of these cases, the "domain's zone does not have a DNSSEC
> validation chain to the ICANN root" -- I requested SOA, DNSKEY, NS,
> and CAA records types for each zone
For reference, here is the relevant bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1398428
> On Sep 9, 2017, at 05:21, Jeremy Rowley via dev-security-policy
> wrote:
>
> big.basic.caatestsuite.com
>
> [JR] We only check CAA records with UDP to keep
> Certificate 3 contains a single DNS identifier for
> refused.caatestsuite-dnssec.com
> Attempts to query the CAA record for this DNS name result in a REFUSED DNS
> response. Since there is a DNSSEC validation chain from this zone to the
> ICANN root, CAs are not permitted to treat the lookup
Google Trust Services published updated CP & CPS versions earlier today
covering CAA checking. I'd suggest checking all CAs again tomorrow. Given the
range of timezones CA operational staffs operate across, some may not have had
a chance to publish their updates yet.
In terms of the 'rush' I
Good Afertnoon
In order to answer the points of the wiki, we make the following explanations
Issue D: URI in CN and dnsName SAN (December 2016)
Procert:
Based on internals test and validation, we contacting the client, we asking for
a new CSR and proceed to revoke and reissue the
Hi everyone,
We received a certificate problem report at 11 pm on Sep 8, 2017 from Andrew
Ayer alleging the mis-issuance of 6 certificates because of a failure to
properly verify CAA records.
I'm sharing the report here because there are questions about CAA record
checking that we feel
17 matches
Mail list logo