On Friday, September 8, 2017 at 3:25:20 PM UTC-4, Andrew Ayer wrote:
> The BRs state:
>
> "Effective as of 8 September 2017, section 4.2 of a CA's Certificate
> Policy and/or Certification Practice Statement (section 4.1 for CAs
> still conforming to RFC 2527) SHALL state the CA's policy or
Hi all,
Thank you for the replies. I am glad that there is agreement these certificates
should not have been issued.
I am confident that the test behaved correctly, the last edit on the zone file
was on Aug 31 17:24, and it reads:
crossbear.org. 0 CAA 0 issue ";"
So even
On 11/09/17 15:30, Rob Stradling via dev-security-policy wrote:
Hi Hanno. Thanks for reporting this to us. We acknowledge the problem,
and as I mentioned at [1], we took steps to address it this morning.
We will follow-up with an incident report ASAP.
INCIDENT REPORT
We received two
Hi all,
We´ve checked logs and still don´t have a final conclussion but some clues
about it.
There were 2 attempts to request a cert for crossbear.org, the first one was
10 minutes before and was rejected because of timeout but the second, the
one issued, permitted the issuance.
# 1st request
Ok, let me investigate this further, maybe I didn´t catch it rightly.
For the record, the certificate was revoked
Best regards
Iñigo Barreira
CEO
StartCom CA Limited
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+inigo=startcomca@lists.mozilla.org]
On 11/09/17 22:28, Jeremy Rowley wrote:
> I would support that. I can't recall why it's in there.
As the drafter of the section :-), my intent was to make it so that if a
site owner were concerned about the possibility that their CAA record or
DNS could be spoofed, they could use DNSSEC to solve
On Tuesday, 12 September 2017 10:38:56 UTC+1, Inigo Barreira wrote:
> Futhermore, according to the logs, at the time of checking for a CAA record,
> there was none. The lookup was succesful and hence allowed the issuance.
Given that this contradicts the facts alleged in Quirin's tests and the
Hi
Buypass received the problem report at 2017-09-12 00:06 and started
investigating early this morning.
After investigating what happened we identified an error in our system solution
when we have a CAA RR lookup failure. In this case, the DNS CAA RR lookup timed
out several times and we
Hi Quirin,
I was going to reply to your email after investigating what happened, but since
you´ve posted here, I can share it.
I think most of the CAs are strugling with the DNSSEC interpretation or how to
solve some of the issues.
In our case, I can tell the following:
The DNSSEC checking is
Hi,
inspired by the ballot paragraph [1], I set up a domain that is fully DNSSEC
signed [2], but does not reply to CAA queries (timeout).
I could obtain certificates for this domain from Buypass and Startcom [3].
Other CAs (RapidSSL, GeoTrust, LetsEncrypt) have refused to issue, and GoDaddy
+1
Il 11/09/2017 23:28, Jeremy Rowley via dev-security-policy ha scritto:
I would support that. I can't recall why it's in there.
-Original Message-
From: Jonathan Rudenberg [mailto:jonat...@titanous.com]
Sent: Monday, September 11, 2017 3:19 PM
To: Jeremy Rowley
11 matches
Mail list logo