Thank you to everyone who has been looking into the .tg Registry problem
and providing valuable information. I greatly appreciate all of your
efforts!
I have updated the related action item in the November CA Communication
to reflect the dates that we believe the .tg Registry was having
probl
ject: Re: .tg Certificates Issued by Let's Encrypt
>
> On 11/14/17 4:34 AM, douglas.beat...@gmail.com wrote:
> >
> > Do we believe that this issue has been resolved by the Registry and
issuance
> an resume as normal, or are there ongoing concerns which CAs should be
ity-pol...@lists.mozilla.org
Subject: Re: .tg Certificates Issued by Let's Encrypt
On 11/14/17 4:34 AM, douglas.beat...@gmail.com wrote:
>
> Do we believe that this issue has been resolved by the Registry and
issuance an resume as normal, or are there ongoing concerns which CAs shou
Let's Encrypt has now received confirmation from CAFE Informatique & Télécom
(.tg operators) that the .tg registry was compromised around Nov 1, 2017.
Apparently a vulnerability in some front-end software ultimately allowed
attackers to access and manipulate the registry database. CAFE Informati
On 2017-11-15 13:07, Nick Lamb wrote:
And at another extreme Mozilla could decide that Firefox, the browser, won't
trust such names, and blacklist suffixes at its sole discretion, affected DNS
names would simply never get treated as secure in Firefox - it would be
acceptable to issue certifica
On Tuesday, 14 November 2017 16:31:34 UTC, Kathleen Wilson wrote:
> Based on information from folks that are monitoring their NS Records, we
> believe that the .tg Registry problems were fixed on November 1, and
> have remained fixed since then.
>
> I have not looked into how Registries are ope
On Tuesday, November 14, 2017 at 8:31:34 AM UTC-8, Kathleen Wilson wrote:
> On 11/14/17 4:34 AM, douglas...@gmail.com wrote:
> >
> > Do we believe that this issue has been resolved by the Registry and
> > issuance an resume as normal, or are there ongoing concerns which CAs
> > should be aware o
On 11/14/17 4:34 AM, douglas.beat...@gmail.com wrote:
Do we believe that this issue has been resolved by the Registry and issuance an
resume as normal, or are there ongoing concerns which CAs should be aware of
when issuing certificates to .tg domains?
Based on information from folks that
On 11/13/17 7:22 PM, Jakob Bohm wrote:
Wouldn't the .tg incident be equally relevant for the e-mail trust bit?
(In which case the first 3 options should say TLS/SSL/e-mail)
Good point. To make it easier, I removed "TLS/SSL", and changed text to
"certificates containing .tg domains".
Updat
On Monday, November 6, 2017 at 6:40:58 AM UTC-5, Ben Laurie wrote:
> On 4 November 2017 at 19:54, Kathleen Wilson via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > On 11/4/17 5:36 AM, Daniel Cater wrote:
> >
> > I think those CAs need to re-validate their recently iss
On 14/11/2017 02:23, Kathleen Wilson wrote:
On 11/6/17 3:40 AM, Ben Laurie wrote:
Since CT is not (yet) compulsory, it seems you probably have to
contact all
CAs, doesn't it?
To close the loop on this...
I have added the following to the draft of the November 2017 CA
Communication.
~~
A
On 11/6/17 3:40 AM, Ben Laurie wrote:
Since CT is not (yet) compulsory, it seems you probably have to contact all
CAs, doesn't it?
To close the loop on this...
I have added the following to the draft of the November 2017 CA
Communication.
~~
ACTION 8: Check for issuance of TLS/SSL certifi
On Mon, Nov 6, 2017 at 6:34 AM, Fotis Loukos via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 04/11/2017 02:36 μμ, Daniel Cater via dev-security-policy wrote:
> > I notice that on https://crt.sh/mozilla-onecrl there are lots of
> certificates that have recently been add
On 4 November 2017 at 19:54, Kathleen Wilson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 11/4/17 5:36 AM, Daniel Cater wrote:
>
>> I notice that on https://crt.sh/mozilla-onecrl there are lots of
>> certificates that have recently been added to OneCRL from the .tg
On 04/11/2017 02:36 μμ, Daniel Cater via dev-security-policy wrote:
> I notice that on https://crt.sh/mozilla-onecrl there are lots of certificates
> that have recently been added to OneCRL from the .tg TLD (Togo), including
> ones for high-profile domains such as google.tg. The issuances occurre
Neither CAA nor DNSSEC mitigate registry compromises.
On Sun, Nov 5, 2017 at 9:15 AM Daniel Cater via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Hmm, CAA records could also potentially be spoofed in this situation, in
> which case they would also not be trustworthy (sav
Hmm, CAA records could also potentially be spoofed in this situation, in which
case they would also not be trustworthy (save for cached records with a long
TTL).
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mo
I think it depends on whether the issue has been fixed or not. If it has not
been fixed, then I would say that all CAs need to put a hold on .tg certificate
issuance as a priority. If a registry can be compromised, then potentially the
integrity of all 10 blessed methods is at risk.
If it has b
On 11/4/17 5:36 AM, Daniel Cater wrote:
I notice that on https://crt.sh/mozilla-onecrl there are lots of certificates
that have recently been added to OneCRL from the .tg TLD (Togo), including ones
for high-profile domains such as google.tg. The issuances occurred 3 days ago,
on 1st November.
19 matches
Mail list logo