Unfortunately yes. We plan on updating our CPS and bringing it up with our
auditors during this audit, who is on-site next week.
From: Wayne Thayer
Sent: Friday, April 12, 2019 11:30 AM
To: Jeremy Rowley
Cc: Jakob Bohm ; mozilla-dev-security-policy
Subject: Re: Arabtec Holding public
Jeremy: do you consider the fact that DigiCert signed certs without proof
of private key possession to have been a violation if its CPS?
On Fri, Apr 12, 2019 at 10:04 AM Jeremy Rowley
wrote:
> The net result were some people created private certs with our root cert
> public key. We signed new
The net result were some people created private certs with our root cert public
key. We signed new certs using that public key after verifying domain control.
We saw the process happen a few times but didn't worry about it too much as the
requesters didn't control the private key. We ended up
I don't mind filling in details.
We have a system that permits creation of certificates without a CSR that works
by extracting the key from an existing cert, validating the domain/org
information, and creating a new certificate based on the contents of the old
certificate. The system was
It's not clear that there is anything for DigiCert to respond to. Are we
asserting that the existence of this Arabtec certificate is proof that
DigiCert violated section 3.2.1 of their CPS?
- Wayne
On Thu, Apr 11, 2019 at 6:57 PM Jakob Bohm via dev-security-policy <
Thanks for the detailed declaration. I did not consider that the serialNumber
is in the very first block of hash input.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
6 matches
Mail list logo
