Re: Reuse of serial numbers by StartCom

Kyle, It is one trying to say NSS doesn't let you have multiple certificates with the same issuer and serial, which is factually true, but it's another to suggest this means it pins as you described, which is incorrect speculation. I appreciate your attention to detail citing X.509, but let's

Re: Reuse of serial numbers by StartCom

On 9/4/2016 02:04, Eddy Nigg wrote: > On 09/02/2016 07:02 PM, Nick Lamb wrote: >> On Friday, 2 September 2016 08:50:02 UTC+1, Eddy Nigg wrote: >>> Lets speak about relying parties - how does this bug affect you? >> As a relying party I am entitled to assume that there is no more than >> one

Re: Reuse of serial numbers by StartCom

On Sun, Sep 04, 2016 at 12:04:21PM +0300, Eddy Nigg wrote: > On 09/02/2016 07:02 PM, Nick Lamb wrote: > > On Friday, 2 September 2016 08:50:02 UTC+1, Eddy Nigg wrote: > > > Lets speak about relying parties - how does this bug affect you? > > As a relying party I am entitled to assume that there

Re: Reuse of serial numbers by StartCom

On 09/02/2016 07:02 PM, Nick Lamb wrote: On Friday, 2 September 2016 08:50:02 UTC+1, Eddy Nigg wrote: Lets speak about relying parties - how does this bug affect you? As a relying party I am entitled to assume that there is no more than one certificate signed by a particular issuer with a

Re: Reuse of serial numbers by StartCom

On Friday, 2 September 2016 08:50:02 UTC+1, Eddy Nigg wrote: > Lets speak about relying parties - how does this bug affect you? As a relying party I am entitled to assume that there is no more than one certificate signed by a particular issuer with a certain serial number. If I have seen this

Re: Reuse of serial numbers by StartCom

On 09/02/2016 09:38 AM, Jakob Bohm wrote: 4. Violations that are purely technical but cannot actually endanger relying parties (such as issuing non-unique certificates to the correct entities, or issuing certificates with too early expiry dates). This would be the case with the StartCom serial

Re: Reuse of serial numbers by StartCom

On 09/01/2016 11:52 AM, Nick Lamb wrote: On Thursday, 1 September 2016 08:54:16 UTC+1, Eddy Nigg wrote: Not so, rather according to my assessment, the cost and everything it entailed (including other risks) to fix that particular issue outweighed the benefits for having it fixed within a

Re: Reuse of serial numbers by StartCom

On 01/09/2016 10:52, Nick Lamb wrote: On Thursday, 1 September 2016 08:54:16 UTC+1, Eddy Nigg wrote: Not so, rather according to my assessment, the cost and everything it entailed (including other risks) to fix that particular issue outweighed the benefits for having it fixed within a

Re: Reuse of serial numbers by StartCom

The ballot on this started today > On Sep 1, 2016, at 7:21 AM, Kurt Roeckx wrote: > >> On 2016-09-01 14:21, Matt Palmer wrote: >>> On Thu, Sep 01, 2016 at 10:53:36AM +0300, Eddy Nigg wrote: On 09/01/2016 04:20 AM, Matt Palmer wrote: You were knowingly violating a MUST

Re: Reuse of serial numbers by StartCom

On 2016-09-01 14:21, Matt Palmer wrote: On Thu, Sep 01, 2016 at 10:53:36AM +0300, Eddy Nigg wrote: On 09/01/2016 04:20 AM, Matt Palmer wrote: You were knowingly violating a MUST provision of RFC5280. From experience there have been many RFC violations, sometimes even knowingly and

Re: Reuse of serial numbers by StartCom

On Wednesday, 31 August 2016 17:57:41 UTC+1, Eddy Nigg wrote: > On 08/31/2016 03:19 PM, Matt Palmer wrote: > > That bug appears to pre-date *all* of the certificates listed above. > > Further, the last communication on that bug (2014-09-22), from Eddy > > Nigg (of StartCom), said: > >> It's a

Re: Reuse of serial numbers by StartCom

On Thursday, 1 September 2016 08:54:16 UTC+1, Eddy Nigg wrote: > Not so, rather according to my assessment, the cost and everything it > entailed (including other risks) to fix that particular issue outweighed > the benefits for having it fixed within a time-frame shorter than that. It seems

Re: Reuse of serial numbers by StartCom

On 09/01/2016 04:20 AM, Matt Palmer wrote: That sounds an awful lot like "we can't fix our own systems", which is a... terrifying thought. Not so, rather according to my assessment, the cost and everything it entailed (including other risks) to fix that particular issue outweighed the

Re: Reuse of serial numbers by StartCom

On Wed, Aug 31, 2016 at 07:57:02PM +0300, Eddy Nigg wrote: > On 08/31/2016 03:19 PM, Matt Palmer wrote: > >That bug appears to pre-date *all* of the certificates listed above. > >Further, the last communication on that bug (2014-09-22), from Eddy Nigg > >(of StartCom), said: > >>It's a hard and

Re: Reuse of serial numbers by StartCom

On Wed, Aug 31, 2016 at 09:29:20AM +0200, Kurt Roeckx wrote: > On 2016-08-31 04:56, Peter Bowen wrote: > >In reviewing the Certificate Transparency logs, I noticed the StartCom > >has issued multiple certificates with identical serial numbers and > >identical issuer names. > > >

Re: Reuse of serial numbers by StartCom

On 2016-08-31 04:56, Peter Bowen wrote: In reviewing the Certificate Transparency logs, I noticed the StartCom has issued multiple certificates with identical serial numbers and identical issuer names. https://crt.sh/?serial=14DCA8 (2014-12-07) https://crt.sh/?serial=04FF5D653668DB (2015-01-05)

Re: Reuse of serial numbers by StartCom

On 08/31/2016 05:56 AM, Peter Bowen wrote: In reviewing the Certificate Transparency logs, I noticed the StartCom has issued multiple certificates with identical serial numbers and identical issuer names. https://crt.sh/?serial=14DCA8 (2014-12-07) https://crt.sh/?serial=04FF5D653668DB

Reuse of serial numbers by StartCom

In reviewing the Certificate Transparency logs, I noticed the StartCom has issued multiple certificates with identical serial numbers and identical issuer names. https://crt.sh/?serial=14DCA8 (2014-12-07) https://crt.sh/?serial=04FF5D653668DB (2015-01-05) https://crt.sh/?serial=052D14BA553ED0