-security-policy@lists.mozilla.org]
Sent: Saturday, August 19, 2017 12:06 PM
To: Stephen Davidson
Cc: r...@sleevi.com; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Certificates with less than 64 bits of entropy
On Fri, Aug 18, 2017 at 12:04 PM, Stephen Davidson via dev-security-policy
On Fri, Aug 18, 2017 at 12:04 PM, Stephen Davidson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> 4) The list of affected certificates is attached in spreadsheet
> form; they will be uploaded to CT as well. You will note that the number
> has declined – Siemens'
On Fri, Aug 18, 2017 at 04:04:48PM +, Stephen Davidson via
dev-security-policy wrote:
> Siemens has previously indicated that the affected certificates are
> installed on high profile websites and infrastructure for Siemen’s group
> companies around the world, and that a rushed revocation
Thanks Ryan, and I note your further posting regarding prompt response. Noting
your desire for detail, I have hesitated to respond with partial answers as
both Siemens and QuoVadis are working hard to fix the issues with the Siemens
CA and to replace the certificates as quickly as possible.
On Fri, Aug 18, 2017 at 1:34 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Since QuoVadis has not yet responded, let me point to a few (partial)
> answers already known from previous messages from QuoVadis or others:
I believe it would be far more
org> wrote:
Update on Siemens - Certificates with less than 64 bits of entropy
The following is regarding the topic https://groups.google.com/
forum/#!topic/mozilla.dev.security.policy/vl5eq0PoJxY regarding the
“Siemens Issuing CA Internet Server 2016” that is root signed by QuoVadis
and indepen
For posterity, here is a link to a separate thread started by D-Trust
containing their response to this report:
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/UnR98QjWQQs
-Vincent
___
dev-security-policy mailing list
Update on Siemens - Certificates with less than 64 bits of entropy
The following is regarding the topic
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/vl5eq0PoJxY
regarding the “Siemens Issuing CA Internet Server 2016” that is root signed by
QuoVadis and independently
As previously noted on this list, there are two Siemens CAs that have issued
certificates with less than 64 bits of entropy. See
https://misissued.com/batch/6/
The Siemens Issuing CA Internet 2013 is subordinate to a DigiCert-owned
root, and the Siemens Issuing CA Internet 2016 is signed by Quo
On Sunday, 13 August 2017 04:04:45 UTC+1, Eric Mill wrote:
> While not every issuing CA may take security seriously enough to employ
> engineers on staff who can research, author and deploy a production code
> fix in a 24 hour period, every issuing CA should be able to muster the
> strength to
a-dev-security-pol...@lists.mozilla.org; Jeremy
Rowley <jeremy.row...@digicert.com>
Subject: Re: Certificates with less than 64 bits of entropy
If they're not going to revoke within 24 hours and willingly violate that part
of the policy, I would at least expect them to, within that 24 hours
gt;
> Cc: Jeremy Rowley <jeremy.row...@digicert.com>; Jonathan Rudenberg <
> jonat...@titanous.com>; mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Certificates with less than 64 bits of entropy
>
>
>
> Have they fixed whatever issue there is with
On 8/11/2017 7:26 AM, Ben Wilson wrote:
>
> With regard to Siemens, given the large number of certificates and
> the disruption that massive revocations will have on their
> infrastructure, what does this community expect them to do?
>
Each violation of published requirements for the operation
a-dev-security-pol...@lists.mozilla.org
Subject: Re: Certificates with less than 64 bits of entropy
They are no longer issuing from the digicert cross. The issue is within their
PKI but there should be no additional certificates chained to DigiCert roots
On Aug 11, 2017, at 8:33 AM, B
ists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org>
Subject: Re: Certificates with less than 64 bits of entropy
Have they fixed whatever issue there is with their PKI infrastructure that
leads to this issue? From skimming, I see this pool contains certs issued as
recently as one m
: Friday, August 11, 2017 8:31 AM
To: Ben Wilson <ben.wil...@digicert.com>
Cc: Jeremy Rowley <jeremy.row...@digicert.com>; Jonathan Rudenberg
<jonat...@titanous.com>; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Certificates with less than 64 bits of entropy
Have t
urity-policy-bounces+ben=
> digicert@lists.mozilla.org] On Behalf Of Jeremy Rowley via
> dev-security-policy
> Sent: Thursday, August 10, 2017 12:01 PM
> To: Jonathan Rudenberg <jonat...@titanous.com>;
> mozilla-dev-security-pol...@lists.mozilla.org
> Subject: RE: Certi
@lists.mozilla.org] On
Behalf Of Jeremy Rowley via dev-security-policy
Sent: Thursday, August 10, 2017 12:01 PM
To: Jonathan Rudenberg <jonat...@titanous.com>;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: RE: Certificates with less than 64 bits of entropy
Hi Jonathan,
InfoCert's
On Thursday, August 10, 2017 at 11:27:53 AM UTC-5, Nick Lamb wrote:
> The truth is that there is no positive test for randomness, any work in this
> area is going to end up needing a judgement call, so I think inconveniencing
> the CAs even a small amount with such a policy change just to make
@lists.mozilla.org]
On Behalf Of Jonathan Rudenberg via dev-security-policy
Sent: Thursday, August 10, 2017 9:26 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Certificates with less than 64 bits of entropy
> On Aug 10, 2017, at 11:20, Jonathan Rudenberg via dev-security-pol
On Thursday, 10 August 2017 16:20:56 UTC+1, Jonathan Rudenberg wrote:
- Three intermediates, "TeleSec ServerPass Class 2 CA”, "Go Daddy Secure
Certificate Authority - G2”, and "Starfield Secure Certificate Authority - G2”,
(which are not in this list) appear to issue certificates with serial
> On Aug 10, 2017, at 11:20, Jonathan Rudenberg via dev-security-policy
> wrote:
>
> QuoVadis (560)
>Siemens Issuing CA Internet Server 2016 (560)
>
> D-TRUST (224)
>D-TRUST SSL Class 3 CA 1 2009 (178)
>D-TRUST SSL Class 3 CA 1 EV 2009 (45)
>
Baseline Requirements section 7.1 says:
> Effective September 30, 2016, CAs SHALL generate non‐sequential Certificate
> serial numbers greater than zero (0) containing at least 64 bits of output
> from a CSPRNG.
There are 1027 unexpired unrevoked certificates known to CT with a notBefore
date
23 matches
Mail list logo