Re: 2017.08.10 Let's Encrypt Unicode Normalization Compliance Incident

On 11/08/17 16:40, Nick Lamb via dev-security-policy wrote: On Friday, 11 August 2017 14:19:57 UTC+1, Alex Gaynor wrote: Given that these were all caught by cablint, has Let's Encrypt considered integrating it into your issuance pipeline, or automatically monitoring crt.sh (which runs cablint)

Re: 2017.08.10 Let's Encrypt Unicode Normalization Compliance Incident

On Sun, Aug 13, 2017 at 5:59 PM, Matt Palmer via dev-security-policy wrote: > On Fri, Aug 11, 2017 at 06:32:11PM +0200, Kurt Roeckx via dev-security-policy > wrote: >> On Fri, Aug 11, 2017 at 11:48:50AM -0400, Ryan Sleevi via >> dev-security-policy wrote:

Re: 2017.08.10 Let's Encrypt Unicode Normalization Compliance Incident

On Fri, Aug 11, 2017 at 06:32:11PM +0200, Kurt Roeckx via dev-security-policy wrote: > On Fri, Aug 11, 2017 at 11:48:50AM -0400, Ryan Sleevi via dev-security-policy > wrote: > > On Fri, Aug 11, 2017 at 11:40 AM, Nick Lamb via dev-security-policy < > > dev-security-policy@lists.mozilla.org>

Re: 2017.08.10 Let's Encrypt Unicode Normalization Compliance Incident

On Fri, Aug 11, 2017 at 5:20 PM, Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > If one integrates a project like certlint/cablint into the cert issuance > pipeline, one suddenly takes on supplemental responsibility for certlint's > bugs or changes. >

Re: 2017.08.10 Let's Encrypt Unicode Normalization Compliance Incident

I see both sides on this matter. On the one hand, certlint/cablint catches lots of obvious problems, mostly with ridiculous certificate profiles or manual special purpose issuances. Certainly, there's a lot of bad issuance that having it in the blocking path might help with... but... If one

Re: 2017.08.10 Let's Encrypt Unicode Normalization Compliance Incident

On Fri, Aug 11, 2017 at 1:22 PM, Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Friday, 11 August 2017 16:49:29 UTC+1, Ryan Sleevi wrote: > > Could you expand on this? It's not obvious what you mean. > > I guess I was unclear. My concern was that one

Re: 2017.08.10 Let's Encrypt Unicode Normalization Compliance Incident

On Friday, 11 August 2017 16:49:29 UTC+1, Ryan Sleevi wrote: > Could you expand on this? It's not obvious what you mean. I guess I was unclear. My concern was that one obvious way to approach this is to set things up so that after the certificate is signed, Boulder runs cablint, and if it

Re: 2017.08.10 Let's Encrypt Unicode Normalization Compliance Incident

On Fri, Aug 11, 2017 at 11:48:50AM -0400, Ryan Sleevi via dev-security-policy wrote: > On Fri, Aug 11, 2017 at 11:40 AM, Nick Lamb via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > On Friday, 11 August 2017 14:19:57 UTC+1, Alex Gaynor wrote: > > > Given that these

Re: 2017.08.10 Let's Encrypt Unicode Normalization Compliance Incident

On Fri, Aug 11, 2017 at 11:40 AM, Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Friday, 11 August 2017 14:19:57 UTC+1, Alex Gaynor wrote: > > Given that these were all caught by cablint, has Let's Encrypt considered > > integrating it into your issuance

Re: 2017.08.10 Let's Encrypt Unicode Normalization Compliance Incident

On Friday, 11 August 2017 14:19:57 UTC+1, Alex Gaynor wrote: > Given that these were all caught by cablint, has Let's Encrypt considered > integrating it into your issuance pipeline, or automatically monitoring > crt.sh (which runs cablint) for these issues so they don't need to be > caught

Re: 2017.08.10 Let's Encrypt Unicode Normalization Compliance Incident

Hi Josh, Given that these were all caught by cablint, has Let's Encrypt considered integrating it into your issuance pipeline, or automatically monitoring crt.sh (which runs cablint) for these issues so they don't need to be caught manually by researchers? Alex On Thu, Aug 10, 2017 at 11:00 PM,

2017.08.10 Let's Encrypt Unicode Normalization Compliance Incident

At 11:30am PST on August 10, 2017, Let’s Encrypt was made aware of a compliance issue regarding unicode normalization of domain names. During the same day we were made aware of the issue, all unexpired non-compliant certificates were found and revoked, a fix was applied to our CA systems, and