Re: AC Camerfirma Chambers of Commerce and Global Chambersign 2016 Root Inclusion Request

On Fri, Mar 2, 2018 at 3:47 PM, David E. Ross via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 3/2/2018 2:05 PM, Wayne Thayer wrote [in part]: > > [snipped] > > NOTE: The fact that I have snipped some of the items under "==Bad==" > does not mean I consider them

Re: AC Camerfirma Chambers of Commerce and Global Chambersign 2016 Root Inclusion Request

On 3/2/2018 2:05 PM, Wayne Thayer wrote [in part]: [snipped] NOTE: The fact that I have snipped some of the items under "==Bad==" does not mean I consider them unimportant. However, the items on which I comment I consider to be most important. > ==Bad== > * The inclusion request

AC Camerfirma Chambers of Commerce and Global Chambersign 2016 Root Inclusion Request

This request is for inclusion of the Camerfirma CHAMBERS OF COMMERCE ROOT - 2016 (CCR2016) and GLOBAL CHAMBERSIGN ROOT - 2016 (GCSR2016) as documented in the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=986854 * BR Self Assessment is here:

Re: Trustico code injection

> Trustico have assured us that the private key > could not have been compromised. Did they elaborate on how they came to that "could not have been" conclusion? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Trustico code injection

That's not what Trustico are saying in their fulfilment emails (received during the purchase of a Trustico® certificate through Comodo CA this morning): 'If you chose to have us generate your CSR during the ordering process, you will need to contact us for a copy of your corresponding Private

Re: Mozilla’s Plan for Symantec Roots

On Fri, Mar 2, 2018 at 11:58 AM, Doug Beattie wrote: > Hi Wayne, > > Is the Firefox 60 update in May the same as the combination of the April > and October Chrome updates, in that all Symantec certificates will be > untrusted on this date (5 months before Chrome)? >

Re: Trustico code injection

(re-sending to list) > We also asked Trustico to cease offering any tools to generate and/or retain customer private keys. Does Comodo intend to standardize a policy against this? GoGetSSL has a tool like this in their customer panel and I’m sure there are more. On Fri, Mar 2, 2018 at 12:29 PM

RE: Mozilla’s Plan for Symantec Roots

Hi Wayne, Is the Firefox 60 update in May the same as the combination of the April and October Chrome updates, in that all Symantec certificates will be untrusted on this date (5 months before Chrome)? Doug > -Original Message- > From: dev-security-policy [mailto:dev-security-policy-

RE: Trustico code injection

https://crt.sh/?id=206535041 is now revoked. Regards, Rich Smith smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: Mozilla’s Plan for Symantec Roots

Update: Mozilla is moving forward with our implementation of the consensus plan for Symantec roots [1]. With the exception of whitelisted subordinate CAs using the keys listed on the wiki [2], Symantec certificates are now blocked by default on Nightly builds of Firefox. The preference

Re: Trustico code injection

We also asked Trustico to cease offering any tools to generate and/or retain customer private keys. They have complied with this request and have confirmed that they do not intend to offer any such tools again in the future. Trustico have also confirmed to us that they were not, and are not,

Re: Allowing WebExtensions to Override Certificate Trust Decisions

Thanks everyone for your input on this topic. The consensus seems to be that allowing WebExtensions to muck with certificate validation decisions is a bad idea. The bug [1] has been updated with that sentiment and a link to this discussion. - Wayne [1]

RE: Trustico code injection

Comodo CA has investigated the reports posted to this list relating to the suspected compromise of the private key corresponding to https://crt.sh/?id=206535041. Trustico have assured us that the private key could not have been compromised. However, since it will be hard to convince everyone

Re: Trustico code injection

> The code injection occurred on an interface they had to check the > certificate of an arbitrary server. When 127.0.0.1 was used, the > trustico.com certificate was returned. That means the local web server > was handling TLS, not a remote load balancer solution (unless somehow > 127.0.0.1 was

Re: Trustico code injection

Not in my opinion. If my house is burning, I expect someone to call the fire department even if I am not aware/convinced that the house is burning. The fact that they disabled their website is evidence that the Twitter posts were no fake. Am Donnerstag, 1. März 2018 20:53:16 UTC+1 schrieb Tim

Comodo and Trustico (was Re: Trustico code injection)

On Fri, 2 Mar 2018 16:10:52 +0900 Hector Martin 'marcan' via dev-security-policy wrote: > And what does Comodo think of all of this? I'd like to second this. When I wrote the original mail in this thread I considered adding questions to Comodo, but I