On Wednesday, August 9, 2017 at 9:53:14 PM UTC-4, Alex Gaynor wrote:
> (Whoops, accidentally originally CC'd to m.d.s originally! Original mail
> was to IdenTrust)
>
> Hi,
>
> The following certificates appear to be misissued:
>
> https://crt.sh/?id=77893170=cablint
>
On 10/08/17 19:35, Jeremy Rowley wrote:
> This is interesting. We had one Sub CA who mis-issued some pre-certs but
> then never issued an actual certificate tied to the pre-certificate. There
> was a previous Mozilla discussion (link coming) where mis-issuance of a
> pre-certificate was akin to
On August 10, 2017 at 9:44:01 PM, Jakob Bohm via dev-security-policy (
dev-security-policy@lists.mozilla.org) wrote:
On 11/08/2017 00:29, Jonathan Rudenberg wrote:
>
>> On Aug 10, 2017, at 17:04, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>>
>> Can anyone
On 11/08/2017 00:29, Jonathan Rudenberg wrote:
On Aug 10, 2017, at 17:04, Jakob Bohm via dev-security-policy
wrote:
Can anyone point out a real world X.509 framework that gets confused by
a redundant pathlen:0 in a CA:FALSE certificate? (Merely to
> On Aug 10, 2017, at 17:04, Jakob Bohm via dev-security-policy
> wrote:
>
> Can anyone point out a real world X.509 framework that gets confused by
> a redundant pathlen:0 in a CA:FALSE certificate? (Merely to assess the
> seriousness of the issue,
On Thursday, August 10, 2017 at 12:21:18 PM UTC-4, Ryan Sleevi wrote:
> On Thu, Aug 10, 2017 at 11:55 AM, identrust--- via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > On Thursday, August 10, 2017 at 12:23:55 AM UTC-4, Lee wrote:
> > > What's it going to take for
On 10/08/2017 20:14, Matthew Hardeman wrote:
Similarly, the cert at https://crt.sh/?id=92235998 has SAN dnsName of
ev-valid.identrustssl.com
It has a normal 2 year validity period.
Which again sounds like a certificate administratively created to serve as a
test point certificate for the
: Thursday, August 10, 2017 10:44 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Misissued certificates
On Thursday, 10 August 2017 16:55:22 UTC+1, iden...@gmail.com wrote:
> certificates contain the issue. Three (3) of these are real
> certificates; however, one has expir
Similarly, the cert at https://crt.sh/?id=92235998 has SAN dnsName of
ev-valid.identrustssl.com
It has a normal 2 year validity period.
Which again sounds like a certificate administratively created to serve as a
test point certificate for the root programs.
I don't know whether it was noticed or if it matters to anyone, but I did note
that for at least one of these certificates, particularly the one at
https://crt.sh/?id=92235996 , that the sole SAN dnsName for the certificate is
ev-expired.identrustssl.com.
The cert also had a whopping 24 hours
On Thursday, 10 August 2017 16:55:22 UTC+1, iden...@gmail.com wrote:
> certificates contain the issue. Three (3) of these are real certificates;
> however, one has expired. We have revoked the other two certificates. The
> remaining two (2) are pre-certificates.
To clear this up for anybody who
On Thu, Aug 10, 2017 at 11:55 AM, identrust--- via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Thursday, August 10, 2017 at 12:23:55 AM UTC-4, Lee wrote:
> > What's it going to take for mozilla to set up near real-time
> > monitoring/auditing of certs showing up in ct
Hi IdenTrust,
When you say that the remaining two are pre-certificates, are you asserting
that no corresponding certificate was ever issued? Or merely that we can't
prove one was based on what's in the existing CT logs?
Alex
On Thu, Aug 10, 2017 at 11:55 AM, identrust--- via dev-security-policy
On Thursday, August 10, 2017 at 12:23:55 AM UTC-4, Lee wrote:
> What's it going to take for mozilla to set up near real-time
> monitoring/auditing of certs showing up in ct logs?
>
> Lee
>
> On 8/9/17, Alex Gaynor via dev-security-policy
> wrote:
> >
Lee,
Different parts of Mozilla does monitor CT, both for internal IT
purposes, as well as research into the WebPKI. It seems like crt.sh does
a great job already of handling cablint/x509lint of newly-observed certs.
What are you looking for Mozilla to provide here that isn't already
being
What's it going to take for mozilla to set up near real-time
monitoring/auditing of certs showing up in ct logs?
Lee
On 8/9/17, Alex Gaynor via dev-security-policy
wrote:
> (Whoops, accidentally originally CC'd to m.d.s originally! Original mail
> was to
16 matches
Mail list logo