Re: Applicability of SHA-1 Policy to Timestamping CAs

On 25/03/2019 23:42, Wayne Thayer wrote: > My general sense is that we should be doing more to discourage the use of > SHA-1 rather than less. I've just filed an issue [1] to consider a ban on > SHA-1 S/MIME certificates in the future. > > On Mon, Mar 25, 2019 at 10:54 AM Jakob Bohm via

Re: CA-issued certificates for publicly-available private keys VU#553544

Thank you for the report Will and for the tracking info Rob. It appears that all but one of these certificates is currently revoked, but roughly 5 more weren't revoked until earlier today, which I assume was more than 24 hours since they were reported to the CA. Will: can you share an

Re: GRCA Incident: BR Compliance and Document Signing Certificates

On Mon, Mar 25, 2019 at 5:30 PM Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > My ultimate intent was to try to formulate a way in which GRCA could > provide certificates for the applications that they're having to support > for their clients today

Re: Applicability of SHA-1 Policy to Timestamping CAs

My general sense is that we should be doing more to discourage the use of SHA-1 rather than less. I've just filed an issue [1] to consider a ban on SHA-1 S/MIME certificates in the future. On Mon, Mar 25, 2019 at 10:54 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org>

Re: Survey of (potentially noncompliant) Serial Number Lengths

On 18/03/2019 21:11, Hector Martin 'marcan' wrote: > On 19/03/2019 02.17, Rob Stradling via dev-security-policy wrote: >> On 18/03/2019 17:05, Kurt Roeckx wrote: >>> On Mon, Mar 18, 2019 at 03:30:37PM +, Rob Stradling via >>> dev-security-policy wrote: When a value in column E is

Re: GRCA Incident: BR Compliance and Document Signing Certificates

On 25/03/2019 22:29, Matthew Hardeman wrote: On Mon, Mar 25, 2019 at 3:03 PM Ryan Hurst via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: While it may be true that the certificates in question do not contain SANs, unfortunately, the certificates may still be trusted for

Re: GRCA Incident: BR Compliance and Document Signing Certificates

On Mon, Mar 25, 2019 at 3:03 PM Ryan Hurst via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > While it may be true that the certificates in question do not contain > SANs, unfortunately, the certificates may still be trusted for SSL since > they do not have EKUs. > > For an

Re: GRCA Incident: BR Compliance and Document Signing Certificates

On 25/3/2019 10:48 μ.μ., Wayne Thayer via dev-security-policy wrote: I agree with Ryan on this. From a policy perspective, we should be encouraging [and eventually requiring] EKU constraints, not making it easier to exclude them. I was merely copying parts of the existing policy related to

Re: GRCA Incident: BR Compliance and Document Signing Certificates

I agree with Ryan on this. From a policy perspective, we should be encouraging [and eventually requiring] EKU constraints, not making it easier to exclude them. On Mon, Mar 25, 2019 at 1:03 PM Ryan Hurst via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > While it may be

Re: GRCA Incident: BR Compliance and Document Signing Certificates

While it may be true that the certificates in question do not contain SANs, unfortunately, the certificates may still be trusted for SSL since they do not have EKUs. For an example see "The most dangerous code in the world: validating SSL certificates in non-browser software" which is

Re: Applicability of SHA-1 Policy to Timestamping CAs

On 23/03/2019 02:03, Wayne Thayer wrote: > On Fri, Mar 22, 2019 at 6:54 PM Peter Bowen wrote: > >> >> >> On Fri, Mar 22, 2019 at 11:51 AM Wayne Thayer via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >>> I've been asked if the section 5.1.1 restrictions on SHA-1

Kamu SM: Information about non-compliant serial numbers

As a preliminary note, Kamu SM would like to express that the only affected 2 certificates are the test certificates issued to our own domains in order to fulfill the related requirement of Mozilla Root Inclusion Request. 1. How your CA first became aware of the problem (e.g. via a problem

Re: CA-issued certificates for publicly-available private keys VU#553544

I've just created a batch for this list on the Revocation Tracker: https://misissued.com/batch/47/ On 22/03/2019 19:05, CERT Coordination Center via dev-security-policy wrote: > Hi folks, > > I'm sharing this information with this list per suggestion of Hanno > Böck. Some time ago we started

Re: GRCA Incident: BR Compliance and Document Signing Certificates

On 17/3/2019 1:54 π.μ., Matthew Hardeman via dev-security-policy wrote: While sending a message that non-compliance could result in policy change is generally a bad idea, I did notice something about the profile of the non-compliant certificate which gave me pause: None of the example

Re: CFCA certificate with invalid domain

On Mon, Mar 25, 2019 at 12:05:44AM -0700, jonathansshn--- via dev-security-policy wrote: > 在 2019年2月27日星期三 UTC+8下午11:28:00，michel.le...@gmail.com写道： > > I noticed this certificate > > https://crt.sh/?id=1231965201=cablint,x509lint,zlint that has an > > invalid domain `mail.xinhua08.con` in SANs.

Re: CFCA certificate with invalid domain

在 2019年2月27日星期三 UTC+8下午11:28:00，michel.le...@gmail.com写道： > Hello, > > I noticed this certificate > https://crt.sh/?id=1231965201=cablint,x509lint,zlint that has an invalid > domain `mail.xinhua08.con` in SANs. This looks like a typo and > `mail.xinhua08.com` is present in other certificates.