Re: 2018.01.09 Issue with TLS-SNI-01 and Shared Hosting Infrastructure

On Friday, January 12, 2018 at 9:38:42 PM UTC-6, jo...@letsencrypt.org wrote: > On Thursday, January 11, 2018 at 4:29:09 PM UTC-6, jo...@letsencrypt.org > wrote: > > On Thursday, January 11, 2018 at 3:36:50 PM UTC-6, Ryan Sleevi wrote: > > > On Wed, Jan 10, 2018 at 4:33 AM, josh--- via

Re: 2018.01.09 Issue with TLS-SNI-01 and Shared Hosting Infrastructure

On Thursday, January 11, 2018 at 4:29:09 PM UTC-6, jo...@letsencrypt.org wrote: > On Thursday, January 11, 2018 at 3:36:50 PM UTC-6, Ryan Sleevi wrote: > > On Wed, Jan 10, 2018 at 4:33 AM, josh--- via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > > > At

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

On Fri, Jan 12, 2018 at 02:52:54PM +, Doug Beattie via dev-security-policy wrote: > I’d like to follow up on our investigation and provide the community with > some more information about how we use Method 9. > > 1) Client requests a test certificate for a domain (only one FQDN) Does

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

On Fri, Jan 12, 2018 at 4:24 PM, Doug Beattie wrote: > Wayne, > > > > We didn’t really investigate wildcard issuance yet, but we can. > > > > Given the discuss so far, we’re planning to proceed with a whitelisting > approach tomorrow and we will plan to end the use

Re: Incident report: Failure to verify authenticity for some partner requests

On Wednesday, January 10, 2018 at 4:24:54 PM UTC-5, Tim Hollebeek wrote: > As you know, BR 3.2.5 requires CAs to verify the authenticity of a request > for an OV certificate through a Reliable Method of Communication (RMOC). > Email can be a RMOC, but in these cases, the email address was a

RE: Possible Issue with Domain Validation Method 9 in a shared hosting environment

Wayne, We didn’t really investigate wildcard issuance yet, but we can. Given the discuss so far, we’re planning to proceed with a whitelisting approach tomorrow and we will plan to end the use of Method 9 (schedule TBD) which follows Let’s Encrypt handling of Method 10. If there are any

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

On Fri, Jan 12, 2018 at 11:21 AM, Doug Beattie wrote: > > > Normally a web hosting provider should not let you set SNI for a domain > someone else is using, especially on that IP address. I think this is > where method 9 deviates from method 10. > > > I agree, it

Re: Taiwan GRCA Root Renewal Request

On Thursday, June 1, 2017 at 5:03:15 PM UTC-7, Kathleen Wilson wrote: > On Friday, May 26, 2017 at 9:32:57 AM UTC-7, Kathleen Wilson wrote: > > On Wednesday, March 15, 2017 at 5:01:13 PM UTC-7, Kathleen Wilson wrote: > > All, > > > > I requested that this CA perform a BR Self Assessment, and

New Reports for CAA Identifiers and Problem Reporting Mechanisms

Just FYI that two new public reports are now available via the https://wiki.mozilla.org/CA/Included_CAs wiki page. One for Problem Reporting Mechanisms, and one for CAA identifiers. Here's the direct links to the new reports:

Re: CCADB Report: AllCertificateRecordsCSVFormat

On 11/15/17 1:48 PM, Kathleen Wilson wrote: All, The following report lists data for all root and intermediate cert records in the CCADB. https://ccadb-public.secure.force.com/mozilla/AllCertificateRecordsCSVFormat A link to this report is here: http://ccadb.org/resources Cheers,

RE: Possible Issue with Domain Validation Method 9 in a shared hosting environment

Wayne and Gerv, I’ll try to answer both of your questions here. From: Wayne Thayer [mailto:wtha...@mozilla.com] Sent: Friday, January 12, 2018 11:03 AM To: Doug Beattie Cc: r...@sleevi.com; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Possible Issue

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

On 12/01/18 14:52, Doug Beattie wrote: > For shared IP address environments, it may be possible to receive a > certificate for a domain you don’t actually control, but a number of > things need to happen in order for this to be successful. What can > go wrong? Doug: what do you see as the exact

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

Doug, I have some questions: > > c.The hosting company must allow you to manually create and upload > a CSR for a site you don’t own > > Did you mean to say 'certificate' here instead of 'CSR'? d. The user must be able to trick the hosting provider to enable SNI > for this domain

Re: Compromised certificate for localhost.cmdm.comodo.net / Comodo ITSM

Hanno, thanks for reporting this to us earlier today. Mozilla, please consider adding https://crt.sh/?id=245397620 to OneCRL. Thanks. On 12/01/18 15:33, Hanno Böck via dev-security-policy wrote: Hi, Comodo ITSM (IT Service Management Software) runs an HTTPS server on localhost and port

Compromised certificate for localhost.cmdm.comodo.net / Comodo ITSM

Hi, Comodo ITSM (IT Service Management Software) runs an HTTPS server on localhost and port 21185. The domain localhost.cmdm.comodo.net pointed to localhost. It is obvious that with this setup the private key is part of the application and thus compromised. With advanced next generation key

RE: Possible Issue with Domain Validation Method 9 in a shared hosting environment

Ryan, I’d like to follow up on our investigation and provide the community with some more information about how we use Method 9. We use a process that we refer to as OneClick to automate the domain validation and issuance of certificates by issuing a test certificate to an FQDN and then

Re: 2018.01.09 Issue with TLS-SNI-01 and Shared Hosting Infrastructure

When I wrote my previous reply, I had not yet received Let's encrypt's post in which they announced they would not reenable TLS-SNI-01 globally. So this was written based on Let's encrypt only *temporarily* disabling TLS-SNI-01 as stated in their original post and *allegedly* (according to 3rd