Re: Request to Include Microsec e-Szigno Root CA 2017 and to EV-enable Microsec e-Szigno Root CA 2009

On Monday, March 9, 2020 at 2:48:56 PM UTC-4, Kathleen Wilson wrote: > * The root contains subject L and organizationIdentifier fields which > are arguably in violation of BR 7.1.4.3 [5]. Some, if not all, of the > subCAs also exhibit this issue. Given that Mozilla explicitly encourages CAs to

Re: GoDaddy: Failure to revoke key-compromised certificate within 24 hours

On Tue, Mar 10, 2020 at 05:53:13PM -0500, Matthew Hardeman via dev-security-policy wrote: > Isn't the evident answer, if reasonable compromise is not forthcoming, just > to publish the compromised private key. There's no proof of a compromised > private key quite as good as providing a copy of

Re: ssl.com: Certificate with Debian weak key

On Tue, Mar 10, 2020 at 01:48:49PM -0700, Chris Kemmerer via dev-security-policy wrote: > We have updated https://bugzilla.mozilla.org/show_bug.cgi?id=1620772 with > the findings of our current investigation. Thanks for this update. I have... comments. Before I get into the nitty-gritty,

Re: GoDaddy: Failure to revoke key-compromised certificate within 24 hours

Isn't the evident answer, if reasonable compromise is not forthcoming, just to publish the compromised private key. There's no proof of a compromised private key quite as good as providing a copy of it. I understand the downsides, but I think that capricious burdens encourage stripping the issue

Re: ssl.com: Certificate with Debian weak key

We have updated https://bugzilla.mozilla.org/show_bug.cgi?id=1620772 with the findings of our current investigation. We believe all issues raised in this thread are addressed in this update. Our investigation is ongoing and we welcome any positive input by the community as an opportunity to

Re: GoDaddy: Failure to revoke key-compromised certificate within 24 hours

For 0% of impact the FPs do not matter that much, so agreed! Of course for now reality is not that... yet! https://github.com/certbot/certbot/issues/1028 seems so appropriate :) PS I was definitely not advocating for 5% false negative, no; we must strive for 0% false negatives as well; all I

Re: key compromise revocation methods [was: GoDaddy: Failure to revoke key-compromised certificate within 24 hours]

On Tue, Mar 10, 2020 at 05:18:51PM -0400, Ryan Sleevi via dev-security-policy wrote: > I'm sympathetic to CAs wanting to filter out the noise of shoddy reports > and shenanigans, but I'm also highly suspicious of CAs that put too > unreasonable an onus on reporters. If CAs want a 100% reliable

Re: CSRs as a means of attesting key compromise [was: GoDaddy: Failure to revoke key-compromised certificate within 24 hours]

On Tue, Mar 10, 2020 at 01:25:11PM -0700, bif via dev-security-policy wrote: > Voluntarily providing CSR is not an ideal way to prove key compromise, > because you could've simply found this CSR somewhere (I know, I know, > super unlikely with your Subject... but still could happen.) Feel free

Re: GoDaddy: Failure to revoke key-compromised certificate within 24 hours

On Tue, Mar 10, 2020 at 5:56 PM Piotr Kucharski wrote: > I'm sympathetic to CAs wanting to filter out the noise of shoddy reports >> and shenanigans, but I'm also highly suspicious of CAs that put too >> unreasonable an onus on reporters. It seems, in the key compromise case, >> the benefit of

Re: GoDaddy: Failure to revoke key-compromised certificate within 24 hours

On Tue, 10 Mar 2020 at 22:19, Ryan Sleevi wrote: > > > On Tue, Mar 10, 2020 at 4:25 PM bif via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> Matt, >> >> Voluntarily providing CSR is not an ideal way to prove key compromise, >> because you could've simply found this

Re: GoDaddy: Failure to revoke key-compromised certificate within 24 hours

On Tuesday, March 10, 2020 at 1:25:21 PM UTC-7, bif wrote: > Matt, > > Voluntarily providing CSR is not an ideal way to prove key compromise, > because you could've simply found this CSR somewhere (I know, I know, super > unlikely with your Subject... but still could happen.) > While a CSR

Re: GoDaddy: Failure to revoke key-compromised certificate within 24 hours

On Tue, Mar 10, 2020 at 4:25 PM bif via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Matt, > > Voluntarily providing CSR is not an ideal way to prove key compromise, > because you could've simply found this CSR somewhere (I know, I know, super > unlikely with your

Re: GoDaddy: Failure to revoke key-compromised certificate within 24 hours

Matt, Voluntarily providing CSR is not an ideal way to prove key compromise, because you could've simply found this CSR somewhere (I know, I know, super unlikely with your Subject... but still could happen.) And while "compromised" is way too short (one can sign up to 32 bytes using it as a

Re: Request to Include Microsec e-Szigno Root CA 2017 and to EV-enable Microsec e-Szigno Root CA 2009

Comments inline and snipped On Mon, Mar 9, 2020 at 2:48 PM Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > ==Meh== > * Microsec issued two certificates in 2018 with 3-year validity periods [1]. > That bug, and the related discussion, discussions

RE: GlobalSign: Failure to revoke certificate with compromised private key within 24 hours

An incident report was created for this yesterday: https://bugzilla.mozilla.org/show_bug.cgi?id=1620922 > -Original Message- > From: dev-security-policy On > Behalf Of Matt Palmer via dev-security-policy > Sent: dinsdag 10 maart 2020 1:41 > To: dev-security-policy@lists.mozilla.org >