On Fri, 16 Feb 2018 11:28:41 +
Arkadiusz Ławniczak via dev-security-policy
wrote:
> The issue was caused by incorrect calculation of the SHA1
> fingerprint of public key. Public keys hashes stored in Certum's
> database was calculated from the
curity-pol...@lists.mozilla.org
Subject: Certificates with 2008 Debian weak key bug
Hi,
I searched crt.sh for valid certificates vulnerable to the 2008 Debian weak key
bug. (Only 2048 bit.)
Overall I found 5 unexpired certificates.
Two certificates by Certum (reported on Saturday, Certum told me &quo
On 6/02/2018 17:10, Ryan Sleevi wrote:
The BRs actually seem to allow this, which at least looks like a bug in
the BRs to me.
It is allowed, and it's not a bug. It's specifically called out in 3.2.2 of
the BRs.
It seems that under 3.2.2.3 (b) they can just copy the ccTLD from the
domain
On Tue, Feb 6, 2018 at 10:48 AM, Kurt Roeckx via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 5/02/2018 17:08, Hanno Böck wrote:
>
>> https://crt.sh/?id=308392091=ocsp
>>
>
> It has:
> Subject:
> commonName= ftp.gavdi.pl
>
On 5/02/2018 17:08, Hanno Böck wrote:
https://crt.sh/?id=308392091=ocsp
It has:
Subject:
commonName= ftp.gavdi.pl
countryName = PL
This looks like a combination that's not allowed. Either it's domain
validated, in which case it should
On Mon, Feb 5, 2018 at 4:33 PM, Alex Cohn via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> I logged two of those five certificates (https://crt.sh/?id=308392091
> and https://crt.sh/?id=307753186) to Argon, as part of a project to
> log every certificate in the censys.io
I logged two of those five certificates (https://crt.sh/?id=308392091
and https://crt.sh/?id=307753186) to Argon, as part of a project to
log every certificate in the censys.io database to a public CT log. I
believe Censys found them by scanning all of IPv4 and grabbing the
default (i.e. no SNI)
On Mon, 5 Feb 2018 12:07:06 -0500
Eric Mill via dev-security-policy
wrote:
> WoSign and StartCom are untrusted, but Certum is still trusted, right?
Yes.
In case that was unclear: The sentence "As we all know these are no
longer trusted by Mozilla, ..."
I have filed https://bugzilla.mozilla.org/show_bug.cgi?id=1435770
requesting an incident report from Certum.
On Mon, Feb 5, 2018 at 10:07 AM, Eric Mill via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> WoSign and StartCom are untrusted, but Certum is still trusted, right?
WoSign and StartCom are untrusted, but Certum is still trusted, right?
On Mon, Feb 5, 2018 at 11:08 AM, Hanno Böck via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Hi,
>
> I searched crt.sh for valid certificates vulnerable to the 2008 Debian
> weak key bug. (Only 2048
Hi,
I searched crt.sh for valid certificates vulnerable to the 2008 Debian
weak key bug. (Only 2048 bit.)
Overall I found 5 unexpired certificates.
Two certificates by Certum (reported on Saturday, Certum told me "We
have taken necessary steps to clarify this situation as soon as
possible",
11 matches
Mail list logo