On 10/28/15 21:30, Kathleen Wilson wrote:
> On 10/28/15 2:14 PM, Kathleen Wilson wrote:
>> Google has blogged about this:
>>
>> https://googleonlinesecurity.blogspot.com/2015/10/sustaining-digital-certificate-security.html
>>
>>
>
> All,
>
> We should discuss what actions Mozilla should require
From: Kathleen Wilson <kwil...@mozilla.com>
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Symantec Test Cert Misissuance Incident
On 10/28/15 2:14 PM, Kathleen Wilson wrote:
Google has blogged about this:
https://googleonlinesecurity.blogspot.com/2015/10/sustaining-d
On Thu, Oct 29, 2015 at 02:17:35PM +0100, Kurt Roeckx wrote:
> On 2015-10-28 22:30, Kathleen Wilson wrote:
> >According to the article, here is what Google is requiring of Symantec:
> >
> >1) as of June 1st, 2016, all certificates issued by Symantec itself will
> >be required to support
On 10/28/15 2:14 PM, Kathleen Wilson wrote:
Google has blogged about this:
https://googleonlinesecurity.blogspot.com/2015/10/sustaining-digital-certificate-security.html
All,
We should discuss what actions Mozilla should require of Symantec, and
what would be the penalty of not completing
Google has blogged about this:
https://googleonlinesecurity.blogspot.com/2015/10/sustaining-digital-certificate-security.html
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
We are working hard on providing an update and responding to open questions.
We will provide further information as soon as its available.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
On 15/10/15 10:54, Rob Stradling wrote:
> Rick, your report [1] states that...
>
>"...the certificates never left Symantec's secure test labs or the
A charitable reading of this might be "the private keys never left...".
But yes, it might help to have more details on what exactly is being
On 15/10/15 00:04, Rick Andrews wrote:
On Tuesday, October 13, 2015 at 5:16:10 PM UTC-7, Charles Reiss wrote:
This list of test certs for owned domains contains an entry for
a cert with serial number 0xc222a issued by RapidSSL CA, valid from 05/18/2013
22:27:16 GMT to 06/20/2015 13:57:13 GMT
Rick, your report [1] states that...
"...the certificates never left Symantec's secure test labs or the
QA test machine, and they were never visible to any end user...
One of these test certificates with a CN=www.google.com was an
Extended Validation (EV) test certificate and was
On 14/10/15 18:16, Gervase Markham wrote:
On 14/10/15 13:47, Rob Stradling wrote:
(There are actually 187 rows, but 3 certs are counted twice)
And that's not perhaps because one copy is with a CT poison extension,
and the other is with an SCT?
That's extremely unlikely.
None of those 3 are
Rob, Gerv - Thanks for your input. We are collating all feedback and are
planning to publish another update soon.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
On Tuesday, October 13, 2015 at 5:16:10 PM UTC-7, Charles Reiss wrote:
> On 10/13/15 18:46, Kathleen Wilson wrote:
> > In September of this year, the CA Symantec revealed[0] that they had
> > mis-issued
> > a number of certificates for domains that they did not own or control, for
> > testing
On 14/10/15 01:15, Charles Reiss wrote:
> As of this writing, there appears to be a functional server at that
> www.icns.com.au which presents that (expired and revoked) cert and to which
> openssl s_client can successfully connect.
>
> Is this entry an error?
Thank you for doing this
On 13/10/15 19:46, Kathleen Wilson wrote:
They have provided two lists[3][4], one of the 164 certs
and another of the 3073.
[3]https://www-secure.symantec.com/connect/sites/default/files/TestCertificateIncidentReportOwnedDomains.pdf
On 13/10/15 23:58, Michael Colburn wrote:
> Symantec's gone and updated [2] and [4] and both of those links are
> 404ing now. Updated links:
>
> [2]
> https://www-secure.symantec.com/connect/sites/default/files/Test_Certificates_Incident_Final_Report_10_13_2015v3.pdf
> [4]
>
On 14/10/15 13:47, Rob Stradling wrote:
> (There are actually 187 rows, but 3 certs are counted twice)
And that's not perhaps because one copy is with a CT poison extension,
and the other is with an SCT?
Gerv
___
dev-security-policy mailing list
In September of this year, the CA Symantec revealed[0] that they had
mis-issued a number of certificates for domains that they did not own or
control, for testing purposes. After an “exhaustive review”, they issued
a Final Report[1] which documented 23 such certificates.
Yesterday, Symantec
Symantec's gone and updated [2] and [4] and both of those links are
404ing now. Updated links:
[2]
https://www-secure.symantec.com/connect/sites/default/files/Test_Certificates_Incident_Final_Report_10_13_2015v3.pdf
[4]
18 matches
Mail list logo