On 22/02/17 14:42, Tony Zhaocheng Tan wrote:
> On 2017-01-03, Let's Encrypt issued a certificate for apple-id-2.com.
> However, until today, the domain apple-id-2.com has apparently never
> been registered. How was the certificate issued?
On Hacker News, Josh Aas writes:
"Head of Let's Encrypt he
Yep, no issue here anymore. Josh Aas hadn't posted on hacker news when I sent
this.
Thanks,
Tony
Tony Zhaocheng Tan | t...@tonytan.io | PGP Key
Original Message
On Feb 22, 2017, 7:30 PM, Gervase Markham wrote:
On 22/02/17 14:42, Tony Zhaocheng Tan wrote:
> On 2017-01-03, Let'
to:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Gervase Markham via dev-security-policy
Sent: Thursday, February 23, 2017 8:30 AM
To: Tony Zhaocheng Tan ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Let's Encrypt appears to issue a certificate for a
On 2/22/17 7:30 PM, Gervase Markham wrote:
> On Hacker News, Josh Aas writes:
>
>
>
> Update: Squarespace has confirmed that they did register the domain and
> then released it after getting a certificate from us."
In this case, should Squarespace have requested that the certificate be
revoked b
-
> From: dev-security-policy [mailto:dev-security-policy-bounces+richard=
> wosign@lists.mozilla.org] On Behalf Of Gervase Markham via
> dev-security-policy
> Sent: Thursday, February 23, 2017 8:30 AM
> To: Tony Zhaocheng Tan ; mozilla-dev-security-policy@
> lists.mozilla.org
> Subje
-security-pol...@lists.mozilla.org
Subject: Re: Let's Encrypt appears to issue a certificate for a domain that
doesn't exist
Hi Richard,
There's no policies in the Baseline Requirements or Mozilla Requirements that
normalize or define high risk domain, which I believe
On Wed, Feb 22, 2017 at 7:35 PM, Richard Wang via dev-security-policy
wrote:
> As I understand, the BR 4.2.1 required this:
>
> “The CA SHALL develop, maintain, and implement documented procedures that
> identify and require additional verification activity for High Risk
> Certificate Requests p
Sent: Thursday, February 23, 2017 11:53 AM
To: Richard Wang
Cc: r...@sleevi.com; mozilla-dev-security-pol...@lists.mozilla.org; Tony
Zhaocheng Tan ; Gervase Markham
Subject: Re: Let's Encrypt appears to issue a certificate for a domain that
doesn't exist
On Wed, Feb 22, 2017 at 7:35 P
>
>
>
> *From:* Ryan Sleevi [mailto:r...@sleevi.com]
> *Sent:* Thursday, February 23, 2017 11:21 AM
> *To:* Richard Wang
> *Cc:* Gervase Markham ; Tony Zhaocheng Tan <
> t...@tonytan.io>; mozilla-dev-security-pol...@lists.mozilla.org
>
> *Subject:* Re: Let's
, February 23, 2017 11:53 AM
> To: Richard Wang
> Cc: r...@sleevi.com; mozilla-dev-security-pol...@lists.mozilla.org; Tony
> Zhaocheng Tan ; Gervase Markham
> Subject: Re: Let's Encrypt appears to issue a certificate for a domain that
> doesn't exist
>
> On Wed, Feb 22
evi.com; mozilla-dev-security-pol...@lists.mozilla.org; Tony
> Zhaocheng Tan ; Gervase Markham
> Subject: Re: Let's Encrypt appears to issue a certificate for a domain that
> doesn't exist
>
> On Wed, Feb 22, 2017 at 7:35 PM, Richard Wang via dev-security-policy
>
On Wed, Feb 22, 2017 at 10:00:45PM -0500, George Macon via dev-security-policy
wrote:
> On 2/22/17 7:30 PM, Gervase Markham wrote:
> > On Hacker News, Josh Aas writes:
> > Update: Squarespace has confirmed that they did register the domain and
> > then released it after getting a certificate from
On Thu, Feb 23, 2017 at 01:08:49AM +, Richard Wang via dev-security-policy
wrote:
> I think "apple-id-2.com" is a high risk domain that must be blocked to issue
> DV SSL to those domains.
Why?
> Here is the list of some high risk domains related to Microsoft and Google
> that Let's Encrypt
On Wed, Feb 22, 2017 at 8:31 PM, Matt Palmer via dev-security-policy
wrote:
> On Wed, Feb 22, 2017 at 10:00:45PM -0500, George Macon via
> dev-security-policy wrote:
>> On 2/22/17 7:30 PM, Gervase Markham wrote:
>> > On Hacker News, Josh Aas writes:
>> > Update: Squarespace has confirmed that the
7 11:53 AM
> To: Richard Wang
> Cc: r...@sleevi.com; mozilla-dev-security-pol...@lists.mozilla.org; Tony
> Zhaocheng Tan ; Gervase Markham
> Subject: Re: Let's Encrypt appears to issue a certificate for a domain that
> doesn't exist
>
> On Wed, Feb 22, 2017 at 7:35 PM, Richa
On Thursday, 23 February 2017 01:11:54 UTC, Richard Wang wrote:
> https://crt.sh/?id=65208905 for google.ligboy.org
Without wanting to jump on this pre-existing dogpile:
This specific example is illustrative of two important factors that should be
considered in examining the threat here:
1. N
On 22/02/17 17:08, Richard Wang wrote:
> I think "apple-id-2.com" is a high risk domain that must be blocked to issue
> DV SSL to those domains.
I don't represent Let's Encrypt, but their policy on such things is
relevant to this discussion, and it is here:
https://letsencrypt.org/2015/10/29/phis
On Thu, Feb 23, 2017 at 01:55:40AM -0800, Nick Lamb via dev-security-policy
wrote:
> 1. Neither registries nor registrars in the DNS system would ordinarily
> have control over the existence of sub-domains. In some cases the whole
> _purpose_ of the registration is to create such sub-domains with
On Thu, Feb 23, 2017 at 03:55:43AM +, Richard Wang via dev-security-policy
wrote:
> If "apple", "google", "Microsoft" is not a high risk domain, then I don’t
> know which domain is high risk domain, maybe only "github".
That's kinda the problem: you don't know, and neither does anyone else,
This list hosted an extensive discussion on this issue in May of 2016,
subject line "SSL Certs for Malicious Websites":
https://groups.google.com/d/topic/mozilla.dev.security.polic
y/vMrncPi3tx8/discussion
Most (all?) of the people on this thread participated on that one, and said
most (all?) of
Behalf Of Gervase Markham via dev-security-policy
Sent: Friday, February 24, 2017 2:13 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Let's Encrypt appears to issue a certificate for a domain that
doesn't exist
On 22/02/17 17:08, Richard Wang wrote:
> I think &q
On Fri, Feb 24, 2017 at 01:12:38AM +, Richard Wang via dev-security-policy
wrote:
> I am sure this site: https://www.microsoftonline.us.com/ is a phishing site
> and a fade office 365 site that I wish LE can revoke this cert.
Why? It works just fine over HTTP, too.
- Matt
Palmer via dev-security-policy
Sent: Friday, February 24, 2017 10:35 AM
To: dev-security-policy@lists.mozilla.org
Subject: Re: Let's Encrypt appears to issue a certificate for a domain that
doesn't exist
On Fri, Feb 24, 2017 at 01:12:38AM +, Richard Wang via
dev-security-policy wro
On Fri, Feb 24, 2017 at 03:09:10AM +, Richard Wang via dev-security-policy
wrote:
> Do you think this site is an authentic site from Microsoft?
> If it is a fake site, then CA should revoke the issued certificate.
Why?
- Matt
___
dev-security-poli
According to what I??ve known,
??Acknowledgment and Acceptance: An acknowledgment and acceptance that the CA
is entitled to revoke the certificate immediately if the Applicant were to
violate the terms of the Subscriber or Terms of Use Agreement or if the CA
discovers that the Certificate is b
As you have quoted it, Let's Encrpyt's CPS says:
"the CA is *entitled* to revoke the certificate"
The key word is "entitled." Meaning that Let's Encrypt may revoke the
certificate if they chose, but are not required to. Therefore not revoking
the certificate is compatible with their CPS.
It's im
On 23/02/17 21:35, wuyi wrote:
> “Acknowledgment and Acceptance: An acknowledgment and acceptance that
> the CA is entitled to revoke the certificate immediately if the
> Applicant were to violate the terms of the Subscriber or Terms of Use
> Agreement or if the CA discovers that the Certificate is
27 matches
Mail list logo
