Since I started requesting revocation for certificates with
known-compromised private keys, I've noticed a rather disturbing pattern
emerging in a few cases:
1. I find a private key on the Internet.
2. I request revocation from the CA on the basis that the private key is
compromised, and
Thanks for pointing it out. We changed the links so that they now refer to the
English version of the CP and CPS.
-Ursprüngliche Nachricht-
Von: dev-security-policy Im
Auftrag von Matt Palmer via dev-security-policy
Gesendet: Donnerstag, 19. März 2020 10:56
An:
On Thu, Mar 19, 2020 at 1:02 AM Matt Palmer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Since I started requesting revocation for certificates with
> known-compromised private keys, I've noticed a rather disturbing pattern
> emerging in a few cases:
>
> 1. I find a
On Thu, Mar 19, 2020 at 05:30:31AM -0500, Ryan Sleevi wrote:
> On Thu, Mar 19, 2020 at 1:02 AM Matt Palmer via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
> > 2. If there are not explicit prohibitions already in place, *should* there
> >be? If so, should it be a BR
As I understand the CCADB Policy (which is included by reference in the
Mozilla Root Store Policy), CAs are required to provide an English
translation of their CP/CPS documents, and link to them in the CCADB.
At the time of writing, the "AllCertificateRecordsReport" CSV shows the
link for the
On Thu, Mar 19, 2020 at 11:10:05AM +, arnold.ess...@t-systems.com wrote:
> Thanks for pointing it out. We changed the links so that they now refer
> to the English version of the CP and CPS.
Thanks for the quick update. Do you have an ETA for the preliminary
incident report?
- Matt
On 2020-03-19 07:02, Matt Palmer wrote:
2. If there are not explicit prohibitions already in place, *should* there
be? If so, should it be a BR thing, or a Policy thing?
I think there should be. I expect them to publish a CRL that says the
reason for revocation is a key compromise. I
On Thu, Mar 19, 2020 at 05:30:31AM -0500, Ryan Sleevi via dev-security-policy
wrote:
> [...] but given that some negligent and
> irresponsible CAs kept agitating to reduce revocation requirements than
> protect users, the ballot was kept simple.
> [...] I worry the same set of negligent and
Has anyone worked with a site/service like this that could help convey
compromised keys between CAs?
https://pwnedkeys.com/submit.html
-Original Message-
From: dev-security-policy On
Behalf Of Matt Palmer via dev-security-policy
Sent: Thursday, March 19, 2020 7:05 AM
To:
>
> - Microsec will check all the issued IVCP certificates looking for similar
> issues - deadline 2020-03-20
>
Microsec has finished the detailed investigation on the issued TLS IVCP
certificates looking for similar issues. The findings are the following:
Microsec issued altogether 9 test
On Thu, Mar 19, 2020 at 9:58 AM Wojtek Porczyk
wrote:
> On Thu, Mar 19, 2020 at 05:30:31AM -0500, Ryan Sleevi via
> dev-security-policy wrote:
> > [...] but given that some negligent and
> > irresponsible CAs kept agitating to reduce revocation requirements than
> > protect users, the ballot was
Matt,
I'm not sure an incident report is necessary. The CCADB policy allows both
to be provided, and the mechanisms that CCADB uses (both for CAs and for
Root Stores) permit a host of expressiveness (and further changes are being
made).
While there is certainly benefit in highlighting the
On Thu, Mar 19, 2020 at 7:06 PM Matt Palmer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Thu, Mar 19, 2020 at 12:33:29PM -0400, Ryan Sleevi wrote:
> > I'm not sure an incident report is necessary. The CCADB policy allows
> both
> > to be provided, and the
On Thu, Mar 19, 2020 at 12:33:29PM -0400, Ryan Sleevi wrote:
> I'm not sure an incident report is necessary. The CCADB policy allows both
> to be provided, and the mechanisms that CCADB uses (both for CAs and for
> Root Stores) permit a host of expressiveness (and further changes are being
>
On 3/18/20 5:16 PM, Ryan Sleevi wrote:
Suggestions:
1) Rename "Audit Delay" to [audit-delay] and rename "Audit Delay COVID-19"
to [audit-delay] [covid-19] or [audit-delay-covid-19], depending
Rationale: In general, our filters work on word searches, so the brackets
brackets help distinguish the
15 matches
Mail list logo