Re: Certificate incident: private key leaked for wildcard certificate for *.sandbox.operations.dynamics.com

On 2017-12-09 at 08:59 -0700, Wayne Thayer wrote: > It can be confusing even for people following these things. That's where I > think collecting problem reporting info from audited sub-CAs in CCADB would > help. > > For everyone else, finding the correct problem reporting information is > mostly

Re: Certificate incident: private key leaked for wildcard certificate for *.sandbox.operations.dynamics.com

On 12/09/2017 01:50 AM, Kurt Roeckx via dev-security-policy wrote: > But it's not obvious to me who to contact to revoke a given > certifiate, and it would be really useful that given a certificate > it would be obvious what to do, who to contact, to get it revoked. Could it be useful to

Re: Certificate incident: private key leaked for wildcard certificate for *.sandbox.operations.dynamics.com

It can be confusing even for people following these things. That's where I think collecting problem reporting info from audited sub-CAs in CCADB would help. For everyone else, finding the correct problem reporting information is mostly a matter of luck. Perhaps we should require an email address

Re: Certificate incident: private key leaked for wildcard certificate for *.sandbox.operations.dynamics.com

On Sat, Dec 9, 2017 at 7:50 AM, Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Sat, 9 Dec 2017 09:51:59 +0100 > Hanno Böck via dev-security-policy > wrote: > > > On Fri, 8 Dec 2017 16:43:48 -0700 > > Wayne Thayer via

Re: Certificate incident: private key leaked for wildcard certificate for *.sandbox.operations.dynamics.com

On Sat, 9 Dec 2017 09:51:59 +0100 Hanno Böck via dev-security-policy wrote: > On Fri, 8 Dec 2017 16:43:48 -0700 > Wayne Thayer via dev-security-policy > wrote: > > > The root CA is ultimately responsible for

Re: Certificate incident: private key leaked for wildcard certificate for *.sandbox.operations.dynamics.com

On Fri, 8 Dec 2017 16:43:48 -0700 Wayne Thayer via dev-security-policy wrote: > The root CA is ultimately responsible for subordinate CAs it has > signed. I see a problem with that, as this is far from obvious. If a random person discovers a problem

Re: Certificate incident: private key leaked for wildcard certificate for *.sandbox.operations.dynamics.com

On Fri, Dec 08, 2017 at 11:55:46PM +0100, Hanno Böck via dev-security-policy wrote: > So I wonder: If a CA signs an intermediate - are they responsible > making sure that reports brought to the subca are properly handled? My first reaction would be if you sign it, you take responsibility. That

Re: Certificate incident: private key leaked for wildcard certificate for *.sandbox.operations.dynamics.com

On Fri, Dec 8, 2017 at 3:55 PM, Hanno Böck via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > So I wonder: If a CA signs an intermediate - are they responsible > making sure that reports brought to the subca are properly handled? > > The root CA is ultimately responsible

Certificate incident: private key leaked for wildcard certificate for *.sandbox.operations.dynamics.com

Hi, I guess this is of interest to the members of this list: https://www.golem.de/news/microsoft-dynamics-365-wildcard-certificate-with-a-private-key-for-everyone-1712-131544.html https://medium.com/matthias-gliwka/microsoft-leaks-tls-private-key-for-cloud-erp-product-10b56f7d648 tl;dr Microsoft