Re: localhost.megasyncloopback.mega.nz private key in client

2018-08-08 Thread Alex Cohn via dev-security-policy
On Wed, Aug 8, 2018 at 9:17 AM Hanno Böck wrote: > > As of today this is still unrevoked: > https://crt.sh/?id=630835231=ocsp > > Given Comodo's abuse contact was CCed in this mail I assume they knew > about this since Sunday. Thus we're way past the 24 hour in which they > should revoke it. > >

Re: AC Camerfirma's organizationName too long incident report

2018-08-08 Thread Wayne Thayer via dev-security-policy
Thank you for the incident report Juan. I created https://bugzilla.mozilla.org/show_bug.cgi?id=1481862 to track this issue. Please update the bug as action items are completed. On Wed, Aug 8, 2018 at 8:41 AM Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: >

Re: AC Camerfirma's organizationName too long incident report

2018-08-08 Thread Ryan Sleevi via dev-security-policy
On Wed, Aug 8, 2018 at 8:13 AM, Juan Angel Martin via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hello, > > We detected 5 certificates issued with ERROR: organizationName too long > (X.509 lint) > > 1. How your CA first became aware of the problem (e.g. via a problem >

Re: Telia CA - incorrect OID value

2018-08-08 Thread Ryan Sleevi via dev-security-policy
Thanks! I think this is more in line with the goal of these discussions - trying to learn, share, and disseminate best practices. Here, the best practice is that, prior to any configuration, the CA should determine what the 'model' certificate should look like. This model certificate is, in

Re: localhost.megasyncloopback.mega.nz private key in client

2018-08-08 Thread Hanno Böck via dev-security-policy
On Sun, 5 Aug 2018 15:23:42 -0500 Alex Cohn via dev-security-policy wrote: > The certificate [1] in the GitHub link you posted was issued by > Comodo, not by GeoTrust. The two share a private key, though, so both > the Comodo and GeoTrust certs should be considered compromised at > this point.

AC Camerfirma's organizationName too long incident report

2018-08-08 Thread Juan Angel Martin via dev-security-policy
Hello, We detected 5 certificates issued with ERROR: organizationName too long (X.509 lint) 1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal

Re: Telia CA - incorrect OID value

2018-08-08 Thread pekka.lahtiharju--- via dev-security-policy
Telia got a serious lesson with this incident that should not have happened. Important detail also to know is that certificates were not issued to wrong entities and issuing new certificates with wrong OID field was prevented immediately. 1) Telia has a development process with multiple steps