Re: Private key corresponding to public key in trusted Cisco certificate embedded in executable

On Monday, June 19, 2017 at 11:40:22 PM UTC-5, Tom Ritter wrote: > So at what point does the CA become culpable to misissuance in a case > like this? Is it okay that we let them turn a blind eye to issuing or > reissuing certificates where they have a strong reason to believe the > private key

Re: Private key corresponding to public key in trusted Cisco certificate embedded in executable

On 19 June 2017 at 08:28, Samuel Pinder via dev-security-policy wrote: > Therefore the newly re-issued > certificate *will* end up with it's private key compromised *again*, > no matter how well it may be obfuscated in the application, it is > still against

Re: Private key corresponding to public key in trusted Cisco certificate embedded in executable

On Sun, Jun 18, 2017 at 08:17:07AM -0700, troy.fridley--- via dev-security-policy wrote: > If you should find such an issue again in a Cisco owned domain, please > report it to ps...@cisco.com and we will ensure that prompt and proper > actions are taken. I don't know, this way seems to have

Re: Symantec response to Google proposal

Notes on your below suggested timeline: 1. I see no reason to have that many new root bundles from Symantec. Ideally, there would be just two bundles: A transitional root bundle which signs the outsourced SubCAs only, and a final bundle intended to become the new long-term Symantec roots.

Re: [EXT] Mozilla requirements of Symantec

On 12/06/2017 22:12, Nick Lamb wrote: On Monday, 12 June 2017 17:31:58 UTC+1, Steve Medin wrote: We think it is critically important to distinguish potential removal of support for current roots in Firefox versus across NSS. Limiting Firefox trust to a subset of roots while leaving NSS

Re: Unknown Intermediates

On Monday, 19 June 2017 20:57:28 UTC+1, Tavis Ormandy wrote: > I noticed there's an apparently valid facebook.com certificate in there > (61b1526f9d75775c3d533382f36527c9.pem). This is surprising to me, that > seems like it would be in CT already - so maybe I don't know what I'm doing. > > Let

Re: ETSI auditors still not performing full annual audits?

On Monday, June 19, 2017 at 12:21:46 PM UTC-7, Peter Bowen wrote: > It seems there is some confusion. The document presented would appear > to be a Verified Accountant Letter (as defined in the EV Guidelines) > and can used as part of the process to validate a request for an EV > certificate. It

Re: Private key corresponding to public key in trusted Cisco certificate embedded in executable

I wonder if the device intercepts DNS queries within the LAN for that address and substitutes in the IP of the appliance instead of 127.0.0.1. Is it often deployed as the customer premise NAT/router in addition to serving video purposes? I'm thinking they probably wanted some other devices or

Principles and Goals

I think it might be useful to take a step back and remind ourselves of Mozilla's mission, principles and goals with regard to resolving the situation with Symantec. These will be useful as we flesh out the details of the consensus proposal, particularly concerning dates. First, a quick reminder

Re: Unknown Intermediates

I noticed there's an apparently valid facebook.com certificate in there (61b1526f9d75775c3d533382f36527c9.pem). This is surprising to me, that seems like it would be in CT already - so maybe I don't know what I'm doing. Let me know if I've misunderstood something. Tavis. On Mon, Jun 19, 2017 at

Re: Unknown Intermediates

Thanks Alex, I took a look, it looks like the check pings crt.sh - is doing that for a large number of certificates acceptable Rob? I made a smaller set, the certificates that have 'SSL server: Yes' or 'Any Purpose : Yes', there were only a few thousand that verified, so I just checked those and

Re: ETSI auditors still not performing full annual audits?

On Mon, Jun 19, 2017 at 12:14 PM, Kathleen Wilson via dev-security-policy wrote: > I just filed https://bugzilla.mozilla.org/show_bug.cgi?id=1374381 about an > audit statement that I received for SwissSign. I have copied the bug > description below,

ETSI auditors still not performing full annual audits?

I just filed https://bugzilla.mozilla.org/show_bug.cgi?id=1374381 about an audit statement that I received for SwissSign. I have copied the bug description below, because I am concerned that there still may be ETSI auditors (and CAs?) who do not understand the audit requirements, see below.

Re: Unknown Intermediates

If you're interested in playing around with submitting them yourself, or checking if they're already submitted, I've got some random tools for working with CT: https://github.com/alex/ct-tools Specifically ct-tools check will get what you want. It's all serial, so for

Re: Private key corresponding to public key in trusted Cisco certificate embedded in executable

There's more than just a clue in the name drmlocal.cisco.com , if one looks up this address in the DNS it returns the loopback IP 127.0.0.1 . http://dnstools.ws/tools/lookup.php?host=drmlocal.cisco.com=A This can only mean that this address is fully intended to be referred to only by one's own

Re: Turktrust SubCA abuse and MITM'ing

I found two and they were both expired so I disable them and did some research which ended me in many sites and also here in this forum. If this happened so long ago and was caught why is it in my Galaxy Grand Prime that I bought brand-new less than two years ago.This is one-