D-TRUST: incorrect precertificate

2019-07-05 Thread Enrico Entschew via dev-security-policy
1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date. 2019-07-05, 04:29 UTC: Internal quality assurance noticed the e

Re: Incident report D-TRUST: syntax error in one tls certificate

2018-11-27 Thread Enrico Entschew via dev-security-policy
We acknowledge that this mis-issuance is caused by technical and organizational issues which we will improve in as fast as possible. We do realize that the importance of timely revokation of certificates for the WebPKI environment is not fully understood by our customers. As additional measures

Re: Incident report D-TRUST: syntax error in one tls certificate

2018-11-27 Thread Enrico Entschew via dev-security-policy
Am Montag, 26. November 2018 18:34:38 UTC+1 schrieb Jakob Bohm: > In addition to this, would you add the following: > > - Daily checks of crt.sh (or some other existing tool) if > additional such certificates are erroneously issued before > the automated countermeasures are in place? Thank y

Incident report D-TRUST: syntax error in one tls certificate

2018-11-23 Thread Enrico Entschew via dev-security-policy
This post links to https://bugzilla.mozilla.org/show_bug.cgi?id=1509512 syntax error in one tls certificate 1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or

Re: Policy 2.6 Proposal: Add prohibition on CA key generation to policy

2018-04-30 Thread Enrico Entschew via dev-security-policy
Am Montag, 30. April 2018 08:25:39 UTC+2 schrieb Buschart, Rufus: > ---=== Intern ===--- > Hello! > > I would like to suggest to rephrase the central sentence a little bit: > > Original: > > CAs MUST NOT distribute or transfer certificates in PKCS#12 form through > insecure electronic channels.

Re: Policy 2.6 Proposal: Add prohibition on CA key generation to policy

2018-04-27 Thread Enrico Entschew via dev-security-policy
I suggest to make the requirement „* The PKCS#12 file must have a sufficiently secure password, and the password must be transferred via a separate channel than the PKCS#12 file.” binding for both transfer methods and not be limited to physical data storage. Otherwise I agree with this proposal.

Re: D-Trust certificates with ROCA fingerprints

2017-10-19 Thread Enrico Entschew via dev-security-policy
Hi all, a list of certificates showing a ROCA fingerprint was posted by Rob Stradling at Mozilla.dev.security.policy on 2017/10/18 available at https://misissued.com/batch/28/ This contains among other certificates a number of D-Trust related certificates that all show a ROCA fingerprint. A