On 15/08/17 16:53, Ben Wilson wrote:
> Attached is an audit from 2016. They are due for another one for 2017.
Attachments don't appear on this list, but I have the docs. Please email
me if you'd like them. I've asked Ben to update CCADB to point to them,
and to also update any other entries where
Attached is an audit from 2016. They are due for another one for 2017.
-Original Message-
From: Gervase Markham [mailto:g...@mozilla.org]
Sent: Tuesday, August 15, 2017 6:55 AM
To: Ben Wilson ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Certificate with invalid dnsName
ev-security-pol...@lists.mozilla.org
Subject: Re: Certificate with invalid dnsName issued from Baltimore
intermediate
Hi Ben,
On 03/08/17 14:32, Ben Wilson wrote:
> That would be fine. Also, we have given Intesa Sanpaolo a scheduled
> revocation date of 15 August 2017, and I'm wai
Hi Ben,
On 03/08/17 15:38, Ben Wilson wrote:
> Here is the response from Intesa Sanpaolo concerning the disruption that
> revocation will cause to their banking operations:
I've looked up the certs relating to this sub-CA in the CCADB. The key
in question:
https://crt.sh/?caid=1698&opt=cablint,x
Hi Ben,
On 03/08/17 14:32, Ben Wilson wrote:
> That would be fine. Also, we have given Intesa Sanpaolo a scheduled
> revocation date of 15 August 2017, and I'm waiting to hear back.
That's today; is it still the plan to revoke their intermediate?
Gerv
___
On Thu, Aug 03, 2017 at 02:38:33PM +, Ben Wilson via dev-security-policy
wrote:
> Here is the response from Intesa Sanpaolo concerning the disruption that
> revocation will cause to their banking operations:
[...]
> Concerning the CA revocation, first of all, I want to underline that for us
on
> *Cc:* Nick Lamb ; mozilla-dev-security-policy@
> lists.mozilla.org
>
> *Subject:* Re: Certificate with invalid dnsName issued from Baltimore
> intermediate
>
>
>
> If I'm reading this correctly, these certificates are for internal
> services, not publicly acc
curity-policy
Sent: Thursday, August 3, 2017 7:33 AM
To: Nick Lamb mailto:tialara...@gmail.com> >;
mozilla-dev-security-pol...@lists.mozilla.org
<mailto:mozilla-dev-security-pol...@lists.mozilla.org>
Subject: RE: Certificate with invalid dnsName issued from Baltimore
intermediat
@lists.mozilla.org] On
> Behalf Of Ben Wilson via dev-security-policy
> Sent: Thursday, August 3, 2017 7:33 AM
> To: Nick Lamb ;
> mozilla-dev-security-pol...@lists.mozilla.org
> Subject: RE: Certificate with invalid dnsName issued from Baltimore
> intermediate
>
> That wou
es+ben=digicert@lists.mozilla.org] On
Behalf Of Ben Wilson via dev-security-policy
Sent: Thursday, August 3, 2017 7:33 AM
To: Nick Lamb ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: RE: Certificate with invalid dnsName issued from Baltimore
intermediate
That would be fine. Also, we ha
a dev-security-policy
Sent: Wednesday, August 2, 2017 10:34 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Certificate with invalid dnsName issued from Baltimore
intermediate
On Monday, 24 July 2017 17:34:03 UTC+1, Ben Wilson wrote:
> Nick,
> We are in discussions with Intesa San
On Monday, 24 July 2017 17:34:03 UTC+1, Ben Wilson wrote:
> Nick,
> We are in discussions with Intesa Sanpaolo about implementing/pursuing
> OneCRL or a similar approach (e.g. outright revocation of the CAs).
> Thanks,
> Ben
Is there any progress on this? To be honest I was more meaning that Mozi
Nick Lamb via dev-security-policy
Sent: Sunday, July 23, 2017 2:35 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Certificate with invalid dnsName issued from Baltimore
intermediate
On Sunday, 23 July 2017 20:12:18 UTC+1, Charles Reiss wrote:
> This CA also issued a rec
On Sunday, 23 July 2017 20:12:18 UTC+1, Charles Reiss wrote:
> This CA also issued a recent certificate for the unqualified dNSName
> 'webinterfacestrong': https://crt.sh/?id=177606495
Another name that it shouldn't be possible to issue for, but this time one
which can actually exist in local n
On 07/17/2017 11:21 AM, Ben Wilson wrote:
Dear Jonathan,
Thank you for bringing this to our attention. We have contacted Intesa
Sanpaolo regarding this error and have asked them to correct it as soon as
possible.
Sincerely yours,
This CA also issued a recent certificate for the unqualified
@lists.mozilla.org] On
Behalf Of Ryan Sleevi via dev-security-policy
Sent: Tuesday, July 18, 2017 9:54 AM
To: Jakob Bohm ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Certificate with invalid dnsName issued from Baltimore
intermediate
On Tue, Jul 18, 2017 at 8:05 AM Jakob Bohm via dev-security-policy
On 19/07/17 15:31, Jeremy Rowley via dev-security-policy wrote:
You should also filter out expired certs as they aren't usable.
I've added a 2nd tab that just shows unexpired certs. I'll also add a
column to track the revocation status of each of these certs.
I've left the expired certs in
Hi Alex. This is about issuance (mal)practices, so therefore I didn't
omit certs that are already revoked.
On 19/07/17 15:29, Alex Gaynor via dev-security-policy wrote:
I think there might be a bug in your SQL, one of the offending certs is
issued by "C=US, O=U.S. Government, OU=Department of
You should also filter out expired certs as they aren't usable.
> On Jul 19, 2017, at 8:30 AM, Alex Gaynor via dev-security-policy
> wrote:
>
> I think there might be a bug in your SQL, one of the offending certs is
> issued by "C=US, O=U.S. Government, OU=Department of Homeland Security,
> OU=
I think there might be a bug in your SQL, one of the offending certs is
issued by "C=US, O=U.S. Government, OU=Department of Homeland Security,
OU=Certification Authorities, OU=DHS CA4", who are revoked using OneCRL.
Alex
On Wed, Jul 19, 2017 at 10:08 AM, Rob Stradling via dev-security-policy <
d
Hanno Böck via dev-security-policy
writes:
>More dotdot-certificates:
Given how widespread (meaning from different CAs) these are, is there some
quirk of a widely-used resolver library that allows them? I've done a bit of
impromptu testing of various tools/bits of code but none of them seem to
On 18/07/17 16:57, Hanno Böck via dev-security-policy wrote:
(Due to limitations in the search methodology - scraping crt.sh
search results and looping through tlds - I only searched for ..tld. It
would certainly be valuable to search further.)
Here's a report of all "double dot" certs known t
On Tuesday, 18 July 2017 20:29:50 UTC+1, Jeremy Rowley wrote:
> Some of these certs are really old. Is there a reason people were using
> double dot names? Are they all mistakes in the certificate request or is
> there some logic behind them?
Unless I see good evidence to the contrary I will a
On 07/18/2017 11:57 AM, Hanno Böck wrote:
More dotdot-certificates:
[snip]
via searching censys.io:
https://crt.sh/?id=174803642
for *..syntaxafrica.com
Issued by GoDaddy in 2016; expires later this year, but revoked (CRL
timestamp says a few days after issuance)
https://crt.sh/?id=38662560
On Tue, 18 Jul 2017 21:43:28 +0200
Hanno Böck via dev-security-policy
wrote:
> It has this commonname:
> commonName= .guidedstudies.com
>
> Well... that's also not a valid hostname...
And of course it's not the only one:
https://crt.sh/?CN=.%25
(the first three seem
On Tue, 18 Jul 2017 19:29:10 +
Jeremy Rowley via dev-security-policy
wrote:
> Some of these certs are really old.
Some of them are also not so old and still valid.
All from GoDaddy:
https://crt.sh/?id=22835635
https://crt.sh/?id=8216255
This one
https://crt.sh/?id=637932
is also interestin
@lists.mozilla.org]
On Behalf Of Tom via dev-security-policy
Sent: Tuesday, July 18, 2017 12:17 PM
To: Hanno Böck ; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Certificate with invalid dnsName issued from Baltimore intermediate
The "www..*" search is also intersting, I th
The "www..*" search is also intersting, I think:
https://crt.sh/?dNSName=www..%25
crt.sh IDLogged At ⇧ Not Before IdentityIssuer Name
397448732016-10-02 2012-12-29 www..coinfling.com
386479982016-10-01 2011-03-24 www..altmangroup.
More dotdot-certificates:
https://crt.sh/?id=34528113
for autodiscover.amphenolcanada..com
Expired 2012
issued by Geotrust (aka symantec)
https://crt.sh/?id=3478078
for PDC-LIB-WEB1.RBI1.rbi..in
Expired 2016
issued by Institute for Development and Research in Banking Technology
https://crt.sh/?i
On Tue, Jul 18, 2017 at 8:05 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 17/07/2017 21:27, Nick Lamb wrote:
> > On Monday, 17 July 2017 16:22:22 UTC+1, Ben Wilson wrote:
> >> Thank you for bringing this to our attention. We have contacted Intesa
> S
On 17/07/2017 21:27, Nick Lamb wrote:
On Monday, 17 July 2017 16:22:22 UTC+1, Ben Wilson wrote:
Thank you for bringing this to our attention. We have contacted Intesa
Sanpaolo regarding this error and have asked them to correct it as soon as
possible.
"Correcting" the error is surely the s
> On Jul 17, 2017, at 15:27, Nick Lamb via dev-security-policy
> wrote:
>
> On Monday, 17 July 2017 16:22:22 UTC+1, Ben Wilson wrote:
>> Thank you for bringing this to our attention. We have contacted Intesa
>> Sanpaolo regarding this error and have asked them to correct it as soon as
>> po
On Monday, 17 July 2017 16:22:22 UTC+1, Ben Wilson wrote:
> Thank you for bringing this to our attention. We have contacted Intesa
> Sanpaolo regarding this error and have asked them to correct it as soon as
> possible.
"Correcting" the error is surely the smaller of the two tasks ahead.
This
-policy
[mailto:dev-security-policy-bounces+ben=digicert@lists.mozilla.org] On
Behalf Of Jonathan Rudenberg via dev-security-policy
Sent: Monday, July 17, 2017 9:15 AM
To: dev-security-policy@lists.mozilla.org
Subject: Certificate with invalid dnsName issued from Baltimore intermediate
This
This certificate, issued by “Intesa Sanpaolo CA Servizi Esterni Enhanced” which
chains up to a Baltimore CyberTrust root, contains an invalid dnsName of
“www.intesasanpaolovita..biz” (note the two dots):
https://crt.sh/?q=2B95B474A2646CA28DC244F1AE829C850EA41CF64C75E11A94FE8D228735977B&opt=cabl
35 matches
Mail list logo