RE: Certificates with shared private keys by gaming software (EA origin, Blizzard battle.net)

2017-12-29 Thread Jeremy Rowley via dev-security-policy
BTW - this certificate was revoked. -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Mark Steward via dev-security-policy Sent: Friday, December 29, 2017 11:30 AM To: Matthew Hardeman

Re: Serial number length

2017-12-29 Thread Paul Kehrer via dev-security-policy
On December 29, 2017 at 12:27:35 PM, David E. Ross via dev-security-policy ( dev-security-policy@lists.mozilla.org) wrote: On 12/28/2017 10:33 PM, Peter Bowen wrote: > On Thu, Dec 28, 2017 at 10:24 PM, Jakob Bohm via dev-security-policy > wrote: >> After

Re: Certificates with shared private keys by gaming software (EA origin, Blizzard battle.net)

2017-12-29 Thread Mark Steward via dev-security-policy
On Mon, Dec 25, 2017 at 7:50 PM, Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Part of the trouble in relying upon the name alone is that on many OS's > (maybe all -- at least all the ones that matter for client side work) can > have localhost

Re: Serial number length

2017-12-29 Thread David E. Ross via dev-security-policy
On 12/28/2017 10:33 PM, Peter Bowen wrote: > On Thu, Dec 28, 2017 at 10:24 PM, Jakob Bohm via dev-security-policy > wrote: >> After looking at some real certificates both in the browser and on crt.sh, I >> have some followup questions on certificate serial

Re: Certificates with shared private keys by gaming software (EA origin, Blizzard battle.net)

2017-12-29 Thread Mark Steward via dev-security-policy
I sent the key to Jeremy on Tuesday as Hanno suggested, and it was revoked at 9am the next morning. The encrypted private key information is only in memory during startup, so I identified that bit of code and broke into a debugger. You could pull the parameters out of OpenSSL's internals too.

Re: Serial number length

2017-12-29 Thread Ryan Sleevi via dev-security-policy
Or just generate longer serials with random. Which is much simpler. On Fri, Dec 29, 2017 at 11:57 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 29/12/2017 13:55, Nick Lamb wrote: > >> On Fri, 29 Dec 2017 07:24:31 +0100 >> Jakob Bohm via

Re: Serial number length

2017-12-29 Thread Jakob Bohm via dev-security-policy
On 29/12/2017 13:55, Nick Lamb wrote: On Fri, 29 Dec 2017 07:24:31 +0100 Jakob Bohm via dev-security-policy wrote: 3. Or would the elimination in #2 reduce the entropy of such serial numbers to slightly less than 64 bits (since there are less than

Re: Serial number length

2017-12-29 Thread Ryan Sleevi via dev-security-policy
On Fri, Dec 29, 2017 at 1:24 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > After looking at some real certificates both in the browser and on crt.sh, > I have some followup questions on certificate serial numbers: > > 1. Do all recently issued

Re: Serial number length

2017-12-29 Thread Nick Lamb via dev-security-policy
On Fri, 29 Dec 2017 07:24:31 +0100 Jakob Bohm via dev-security-policy wrote: > 3. Or would the elimination in #2 reduce the entropy of such serial >numbers to slightly less than 64 bits (since there are less than > 2**64 allowed values for all but the