On 07/17/2017 11:21 AM, Ben Wilson wrote:
Dear Jonathan,
Thank you for bringing this to our attention. We have contacted Intesa
Sanpaolo regarding this error and have asked them to correct it as soon as
possible.
Sincerely yours,
This CA also issued a recent certificate for the unqualified
On 07/19/2017 06:03 PM, Tom wrote:
Following that discovery, I've search for odd (invalid?) DNS names.
Here is the list of certificated I've found, it may overlap some
discovery already reported.
If I'm correct, theses certificate are not revoked, not expired, and
probably trusted by Mozilla (c
On 07/19/2017 06:03 PM, Tom wrote:
Following that discovery, I've search for odd (invalid?) DNS names.
Here is the list of certificated I've found, it may overlap some
discovery already reported.
If I'm correct, theses certificate are not revoked, not expired, and
probably trusted by Mozilla (c
On 07/19/2017 05:10 AM, Aaron Wu wrote:
- Tunisian Server Certificate Authority - TunServerCA2
https://crt.sh/?id=79470561&opt=cablint is a certificate for the
internal name 'adv-mail.calladvance.local' issued by this CA with a
notBefore of 2017.
_
On 07/19/17 05:10, Aaron Wu wrote:
- Tunisian Server Certificate Authority - TunServerCA2
https://crt.sh/?id=21813439 is a certificate issued by this CA which has
a domain name in the common name but only an email address in the SAN.
(The certificate has TLS server/client usage EKUs.)
htt
https://crt.sh/?id=174827359 is a certificate issued by D-TRUST SSL
Class 3 CA 1 2009 containing the DNS SAN
'www.lbv-gis.brandenburg.de/lbvagszit' (containing a '/') with a
notBefore in April 2017.
The certificate also seems to have a short certificate serial number,
which cannot include 64
On 07/18/2017 11:57 AM, Hanno Böck wrote:
More dotdot-certificates:
[snip]
via searching censys.io:
https://crt.sh/?id=174803642
for *..syntaxafrica.com
Issued by GoDaddy in 2016; expires later this year, but revoked (CRL
timestamp says a few days after issuance)
https://crt.sh/?id=38662560
Symantec has disclosed several subCAs via Salesforce and indicated that
these subCAs have the same audit as their parent, however the audit
statement they link
(https://cert.webtrust.org/SealFile?seal=1565&file=pdf) has a table of
"In-Scope CAs" which does not appear to include the following su
On 05/16/16 12:22, Richard Z wrote:
On Sun, May 15, 2016 at 05:43:39PM -0700, Peter Bowen wrote:
Some CAs may choose to not issue to sites known to inject malware, but
this outside the scope of the SSL requirements. The EV Guidelines it
very clear that the reputation and actions of the Subject
On 04/13/16 20:32, Kathleen Wilson wrote:
All,
I have added links to reports of the responses to the March 2016 CA
Communication survey:
https://wiki.mozilla.org/CA:Communications#March_2016_Responses
For question 1a, TeliaSonera indicated "2015 Oct 20", but the following
SHA-1 server certif
On 04/13/16 20:32, Kathleen Wilson wrote:
All,
I have added links to reports of the responses to the March 2016 CA
Communication survey:
https://wiki.mozilla.org/CA:Communications#March_2016_Responses
For the responses to Question 1a:
DocuSign (OpenTrust/Keynectis) indicated 2015 Dec 31 but
On 04/13/16 23:12, Kathleen Wilson wrote:
> Request to enable EV for VeriSign Class 3 G4 ECC root
>
> This request by Symantec is to enable EV treatment for the "VeriSign
> Class 3 Public Primary Certification Authority - G4" root certificate
> that was included via bug #409235, and has all three
On 03/30/16 20:53, Jeremy Rowley wrote:
> I think a required move away from SHA1 client certs requires a bit
> more planning.
>
> 1) There hasn't been a formal deprecation of all SHA-1 certificates
> in any root store policy. There has been a formal deprecation by the
> CAB Forum of SHA1 server ce
On 03/22/16 16:33, kwil...@mozilla.com wrote:
> The following 'ACTION #1c' has been added to the communication, which
> is here: https://wiki.mozilla.org/CA:Communications#March_2016 and
> click on "Link to DRAFT of March 2016 CA Communication".
With the current wordings of #1a and #1b, if
- a CA
On 03/16/16 17:48, kwil...@mozilla.com wrote:
> On Wednesday, March 16, 2016 at 6:03:26 AM UTC-7, Jakob Bohm wrote:
>> On 16/03/2016 00:27, Charles Reiss wrote:
>>> On 03/15/16 22:43, kwilson wrote:
>>>> ACTION #1a: As previously communicated, CAs should n
On 03/15/16 22:43, kwil...@mozilla.com wrote:
> On Monday, March 14, 2016 at 5:28:32 PM UTC-7, Charles Reiss wrote:
>>> ACTION #1a: As previously communicated, CAs should no longer be
>>> issuing SHA-1 certificates chaining up to root certificates
>>> included in Mo
On 03/10/16 23:43, kwil...@mozilla.com wrote:
[snip]
> Regards,
>
> Kathleen Wilson Mozilla CA Program Manager
>
> ACTION #1a: As previously communicated, CAs should no longer be
> issuing SHA-1 certificates chaining up to root certificates included
> in Mozilla's CA Certificate Program. Check yo
On 03/03/16 19:48, Ryan Sleevi wrote:
> On Thursday, March 3, 2016 at 9:20:07 AM UTC-8, Andrew Ayer wrote:
>> It's also troubling that a CA may be allowed to continue issuing
>> non-serverAuth certs with SHA-1 from an issuer that is also used
>> for serverAuth certs. Again, a collision attack cou
On 02/23/16 18:57, Gervase Markham wrote:
[snip]
> Symantec may issue certificates to Worldpay if the following things are
> true:
Based on what's happened with MD5 certificates, it seems the main risk
of harm comes from something like a chosen-prefix collision attack using
a specially constructed
On 02/18/16 21:40, Erwann Abalea wrote:
> Bonsoir,
>
> Le mercredi 10 février 2016 00:15:11 UTC+1, Charles Reiss a écrit :
>> On 02/09/16 20:07, Kathleen Wilson wrote:
>>> This request by DocuSign (OpenTrust/Keynectis/Certplus) is to
>>> include the followi
On 02/09/16 20:07, Kathleen Wilson wrote:
> This request by DocuSign (OpenTrust/Keynectis/Certplus) is to include
> the following root certificates, turn on the Websites and Email trust
> bits for all of them, and enable EV treatment for all of them. These new
> certs will eventually replace the ‘C
On 02/12/16 14:26, Christoph Klein wrote:
> Dear All!
>
> Thank you for contributing in our discussion and illustrate some
> existing problems with our certificates. I would like to address the
> stated points seperatley.
[snip]
> * 20 Bits of Entropy: the Serialnumber included in the Subject of o
On 02/09/16 20:07, Kathleen Wilson wrote:
> This request by DocuSign (OpenTrust/Keynectis/Certplus) is to include
> the following root certificates, turn on the Websites and Email trust
> bits for all of them, and enable EV treatment for all of them. These new
> certs will eventually replace the ‘C
On 02/09/16 01:22, Kathleen Wilson wrote:
> This request is to include the ‘A-Trust-Root-05’ root certificate, turn
> on the Websites trust bit, and enable EV treatment. This new root
> certificate will replace the ‘A-Trust-nQual-03’ root certificate that
> was included via Bugzilla Bug #530797. Th
On 02/05/16 21:14, Ben Wilson wrote:
> Aren't all of these CA certificates?
The links in the '#' column are to lists of BR-noncompliant
certificates; the links in the 'Issuer Name' column are to information
about the issuing DN+public key of those certificates.
>
> -Original Message-
> F
On 02/05/16 20:13, martin.suc...@gmail.com wrote:
> Here's a list of all certificates with SHA-1 signatures and notBefore >=
> 2016-01-01, logged in the Certificate Transparency Log:
> https://crt.sh/?cablint=211&minNotBefore=2016-01-01
Some notes on how these look as of now. The listed subCA CNs
On 01/19/16 01:49, Charles Reiss wrote:
> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this
> year
> which chain to root CAs in Mozilla's program:
[snip]
and even more, from different subCAs than have come up yet:
- https://crt.sh/?id=12501241&opt=ca
we communicate that we have revoked the certificate referred to
> https://crt.sh/?id=
>
> -Original Message-
> From: Ben Wilson
> Sent: Monday, January 25, 2016 10:08 AM
> To: 'Charles Reiss' ;
> mozilla-dev-security-pol...@lists.mozilla.org
> Subject:
On 01/19/16 01:49, Charles Reiss wrote:
> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this
> year
> which chain to root CAs in Mozilla's program:
[snip]
And here are a couple more, from different subCAs:
- https://crt.sh/?id=12131821 -- chaining to De
On 01/19/16 01:49, Charles Reiss wrote:
> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this
> year
> which chain to root CAs in Mozilla's program:
>
> - https://crt.sh/?id=12089828 -- chains to Baltimore CyberTrust Root
> [DigiCert]
> via sub
On 01/19/16 11:49, Jakob Bohm wrote:
> On 19/01/2016 02:49, Charles Reiss wrote:
>> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this
>> year
>> which chain to root CAs in Mozilla's program:
>>
>> - https://crt.sh/?id=12089828
On 01/19/16 03:37, Charles Reiss wrote:
> On 01/19/16 03:23, Kurt Roeckx wrote:
>> On Tue, Jan 19, 2016 at 01:49:21AM +, Charles Reiss wrote:
>>> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this
>>> year
>>> which chain to root CA
On 01/19/16 03:23, Kurt Roeckx wrote:
> On Tue, Jan 19, 2016 at 01:49:21AM +0000, Charles Reiss wrote:
>> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this
>> year
>> which chain to root CAs in Mozilla's program:
>
> I also have som
Via censys.io, I found a couple SHA-1 certs with notBefore dates from this year
which chain to root CAs in Mozilla's program:
- https://crt.sh/?id=12089828 -- chains to Baltimore CyberTrust Root [DigiCert]
via subCA "Eurida Primary CA" via subCA "DnB NOR ASA PKI Class G"
Also, the OCSP responder
On 12/15/15 01:48, Peter Bowen wrote:
> On Mon, Dec 14, 2015 at 5:39 PM, Kathleen Wilson wrote:
>>
>> Another thing to consider in updating the policy is in regards to test
>> certificates versus certificates issued to customers.
>> e.g. Does the disclosure need to happen before test certificates
On 12/14/15 19:56, Eli Spitzer wrote:
> On Monday, December 14, 2015 at 8:59:03 PM UTC+2, Charles Reiss wrote:
>> On 12/14/15 17:56, Eli Spitzer wrote:
>>> The SubCA "Comsign Ev SSL CA" is at its initial development stages. It
>>> was indeed created under &q
On 12/14/15 17:56, Eli Spitzer wrote:
> The SubCA "Comsign Ev SSL CA" is at its initial development stages. It was
> indeed created under "Comsign Global Root CA", but so far we only issued a
> handful of test certificates from it. We have no plans to issue public
> certificates from it at the mome
On 12/10/15 20:01, Kathleen Wilson wrote:
> This request is to include the "ComSign Global Root CA" root certificate, and
> enable the Websites and Email trust bits. This root will eventually replace
> the
> "ComSign CA" root certificate that is currently included in NSS, and was
> approved in bug
On 11/19/15 23:09, Kathleen Wilson wrote:
> By the time version 2.3 of Mozilla’s CA Cert Policy is published, I hope to
> have
> issued a CA Community License to every included CA. Taking that into
> consideration; I propose changing the policy as follows.
>
[snip]
>
> As always, I will apprecia
On 11/04/15 00:24, Kathleen Wilson wrote:
> Topic to discuss [1]:
> “(D3) Make the timeline clear about when the audit statements and disclosure
> has
> to happen for new audited/disclosed subCAs.
>
> Section 10 of the Inclusion Policy says:
> https://www.mozilla.org/en-US/about/governance/polici
On 10/28/15 21:30, Kathleen Wilson wrote:
> On 10/28/15 2:14 PM, Kathleen Wilson wrote:
>> Google has blogged about this:
>>
>> https://googleonlinesecurity.blogspot.com/2015/10/sustaining-digital-certificate-security.html
>>
>>
>
> All,
>
> We should discuss what actions Mozilla should require o
On 10/26/15 15:57, rafa...@gmail.com wrote:
> El miércoles, 21 de octubre de 2015, 22:43:15 (UTC+2), Charles Reiss
> escribió:
>> On 10/21/15 19:17, Kathleen Wilson wrote:
>>
>>
>> What are the apparent subCAs with CNs 'AC FNMT Usuarios'
>> [h
On 10/23/15 08:10, almo...@gmail.com wrote:
> El miércoles, 21 de octubre de 2015, 22:43:15 (UTC+2), Charles Reiss
> escribió:
>> On 10/21/15 19:17, Kathleen Wilson wrote:
>>> FNMT has applied to include the "AC RAIZ FNMT-RCM" root certificate and
>&g
On 10/21/15 19:17, Kathleen Wilson wrote:
> FNMT has applied to include the “AC RAIZ FNMT-RCM” root certificate and enable
> the Websites trust bit.
[snip]
> * CA Hierarchy
>
> ** This root has internally-operated subordinate CAs
> - “AC Componentes Informáticos” issues certificates for SSL Ser
On 10/13/15 18:46, Kathleen Wilson wrote:
> In September of this year, the CA Symantec revealed[0] that they had
> mis-issued
> a number of certificates for domains that they did not own or control, for
> testing purposes. After an “exhaustive review”, they issued a Final Report[1]
> which documen
On 03/26/15 09:02, Anyin wrote:
> Regarding this Incident,
>
>
>
> 1, We prompt to response to Microsoft and Apple, and actively send incident
> report and CRL to Mozilla ASAP. We request MCS to take steps do more
> investigate. Quoting MCS report as following,
>
> “ MCS had received the Su
On 03/23/15 22:47, Richard Barnes wrote:
> Dear dev.security.policy,
>
> It has been discovered that an intermediate CA under the CNNIC root has
> mis-issued certificates for some Google domains. Full details can be found
> in blog posts by Google [0] and Mozilla [1]. We would like to discuss wh
On 03/23/15 22:47, Richard Barnes wrote:
> Dear dev.security.policy,
>
> It has been discovered that an intermediate CA under the CNNIC root has
> mis-issued certificates for some Google domains. Full details can be found
> in blog posts by Google [0] and Mozilla [1]. We would like to discuss wh
On 12/10/13 8:39 , Jan Schejbal wrote:
> Am 2013-12-10 16:18, schrieb Rob Stradling:
>>
>> The larger file with more info is here...
>> https://sslanalyzer.comodoca.com/igca_server_certs.zip
>
> Thanks, very nice!
>
> These look interesting:
>
> 8f5d29f6ae0f6aa472268de463dd2e397ddd1b50
> 1972268
On 12/10/13 7:18 , Rob Stradling wrote:
> On 10/12/13 14:46, Rob Stradling wrote:
>
>> I tried to send a larger file just now (with more info), but I'd
>> forgotten that this list has a 40KB limit on attachments.
>
> The larger file with more info is here...
> https://sslanalyzer.comodoca.com/igc
50 matches
Mail list logo