On Fri, 16 Feb 2018 11:28:41 +
Arkadiusz Ławniczak via dev-security-policy
wrote:
> The issue was caused by incorrect calculation of the SHA1
> fingerprint of public key. Public keys hashes stored in Certum's
> database was calculated from the Modulo key value with the Modulus
> prefix
PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Certificates with 2008 Debian weak key bug
Hi,
I searched crt.sh for valid certificates vulnerable to the 2008 Debian weak key
bug. (Only 2048 bit.)
Overall I found 5 unexpired certificates.
Two certificates by Certum (reported on
On 6/02/2018 17:10, Ryan Sleevi wrote:
The BRs actually seem to allow this, which at least looks like a bug in
the BRs to me.
It is allowed, and it's not a bug. It's specifically called out in 3.2.2 of
the BRs.
It seems that under 3.2.2.3 (b) they can just copy the ccTLD from the
domain name
On Tue, Feb 6, 2018 at 10:48 AM, Kurt Roeckx via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 5/02/2018 17:08, Hanno Böck wrote:
>
>> https://crt.sh/?id=308392091&opt=ocsp
>>
>
> It has:
> Subject:
> commonName= ftp.gavdi.pl
> co
On 5/02/2018 17:08, Hanno Böck wrote:
https://crt.sh/?id=308392091&opt=ocsp
It has:
Subject:
commonName= ftp.gavdi.pl
countryName = PL
This looks like a combination that's not allowed. Either it's domain
validated, in which case it should
On Mon, Feb 5, 2018 at 4:33 PM, Alex Cohn via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> I logged two of those five certificates (https://crt.sh/?id=308392091
> and https://crt.sh/?id=307753186) to Argon, as part of a project to
> log every certificate in the censys.io d
I logged two of those five certificates (https://crt.sh/?id=308392091
and https://crt.sh/?id=307753186) to Argon, as part of a project to
log every certificate in the censys.io database to a public CT log. I
believe Censys found them by scanning all of IPv4 and grabbing the
default (i.e. no SNI) ce
On Mon, 5 Feb 2018 12:07:06 -0500
Eric Mill via dev-security-policy
wrote:
> WoSign and StartCom are untrusted, but Certum is still trusted, right?
Yes.
In case that was unclear: The sentence "As we all know these are no
longer trusted by Mozilla, ..." was referring to the chapter above,
i.e. t
I have filed https://bugzilla.mozilla.org/show_bug.cgi?id=1435770
requesting an incident report from Certum.
On Mon, Feb 5, 2018 at 10:07 AM, Eric Mill via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> WoSign and StartCom are untrusted, but Certum is still trusted, right?
WoSign and StartCom are untrusted, but Certum is still trusted, right?
On Mon, Feb 5, 2018 at 11:08 AM, Hanno Böck via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Hi,
>
> I searched crt.sh for valid certificates vulnerable to the 2008 Debian
> weak key bug. (Only 2048 bi
Hi,
I searched crt.sh for valid certificates vulnerable to the 2008 Debian
weak key bug. (Only 2048 bit.)
Overall I found 5 unexpired certificates.
Two certificates by Certum (reported on Saturday, Certum told me "We
have taken necessary steps to clarify this situation as soon as
possible", they
11 matches
Mail list logo