RE: Certificate validation phishing

2017-01-23 Thread Jeremy Rowley
And why wouldn't a request token fit the patent's interpretation of a "Pass String"? The only definition I saw in the patent was something generated by the validating entity and forwarded to the requester. The pass string can be a code, but that does not necessarily preclude a request token. "1.

Re: Misissued/Suspicious Symantec Certificates

2017-01-23 Thread Ryan Sleevi
Steve, While I understand that your investigation is ongoing, this does seem extremely similar, if not identical, to Symantec's previous misissuance. In that previous incident, Symantec took a number of steps - beginning with reportedly immediately terminating the employees responsible and then

Re: Question about Baseline Requirements section #7.1.4.2

2017-01-23 Thread Peter Bowen
On Mon, Jan 23, 2017 at 3:32 PM, Kathleen Wilson wrote: > Does section 7.1.4.2 of the CA/Browser Forum's Baseline Requirements only > apply to end-entity certificates? > > If yes, where does it specify that in the document? > > This has come up in a few CA requests, due to

Question about Baseline Requirements section #7.1.4.2

2017-01-23 Thread Kathleen Wilson
All, Does section 7.1.4.2 of the CA/Browser Forum's Baseline Requirements only apply to end-entity certificates? If yes, where does it specify that in the document? This has come up in a few CA requests, due to errors we get when we run Kurt's x509lint test. Example:

Re: Certificate validation phishing

2017-01-23 Thread Nick Lamb
On Monday, 23 January 2017 18:07:59 UTC, Jeremy Rowley wrote: > What do you mean they are weak sauce? Considering at least one of the > patents is claimed to cover the ACME challenge validations, they seem pretty > on-point. I thought my comparison illustrated very well what I meant by weak

RE: Certificate validation phishing

2017-01-23 Thread Jeremy Rowley
What do you mean they are weak sauce? Considering at least one of the patents is claimed to cover the ACME challenge validations, they seem pretty on-point. -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On

Re: Certificate validation phishing

2017-01-23 Thread tdelmas
On Monday, January 23, 2017 at 10:34:42 AM UTC+1, Santhan Raj wrote: > If a domain administrator approves a request without checking why/who needs > the cert, there is little a CA can do to mitigate such threats. I agree. But the CA could help prevent these threats. And, in that specific case,

Re: Certificate validation phishing

2017-01-23 Thread Santhan Raj
If a domain administrator approves a request without checking why/who needs the cert, there is little a CA can do to mitigate such threats. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org