A report regarding this incident has been published on the Let's Encrypt
community site:
https://community.letsencrypt.org/t/2017-09-09-late-weak-key-revocation/42519
The text is copied here:
On July 16, 2017 it was reported to Let’s Encrypt by researcher Hanno Böck that
it was possible to
I'd like to push a bit harder on searching for more systemic remediations.
"We forgot to get around to revoking it" is a pretty common element of CAs'
post-mortems, I think it'd be good for us to dig deeper.
For example, does Let's Encrypt have a runbook that gets used on
misissuance reports? Is
This was simple human error. There isn't a programmatic fix.
Our team is planning to scan our database for weak keys again early this week.
In any case, any weak key certs issued prior to our July 20 fix will expire in
at most 37 days.
On Monday, September 11, 2017 at 8:24:49 AM UTC-5, Alex
Thank you for bringing this oversight to our attention. The certificate in
question has been revoked.
The original incident report from July 16 was accidentally considered closed on
the basis of a fix for our infrastructure without actually revoking the
certificate that led to the report.
Hi,
A while ago I tested how some CAs would react to certificate requests
with debian weak keys.
I was able to get a certificate from Let's Encrypt with a debian weak
key. Here is it:
https://crt.sh/?id=173588030
I reported this to Let's Encrypt. They told me that they are aware they
weren't
5 matches
Mail list logo
