On Mon, Feb 5, 2018 at 4:33 PM, Alex Cohn via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> I logged two of those five certificates (https://crt.sh/?id=308392091
> and https://crt.sh/?id=307753186) to Argon, as part of a project to
> log every certificate in the censys.io
I logged two of those five certificates (https://crt.sh/?id=308392091
and https://crt.sh/?id=307753186) to Argon, as part of a project to
log every certificate in the censys.io database to a public CT log. I
believe Censys found them by scanning all of IPv4 and grabbing the
default (i.e. no SNI)
The CA/Browser Forum’s Bylaws at Section 2.3(c) allow the Forum Chair
(currently me) to invite Interested Parties to participate in Working Group
meetings.
I hereby extend an invitation to Forum Interested Parties to participate in
person or remotely in the all-day Validation Working Group
Gerv and I have made, and the CA/Browser Forum has accepted a proposal to
convene a "Validation Summit" on Tuesday March 6th during the next
regularly scheduled CA/Browser Forum face-to-face meeting that will be held
in the Washington DC area.
The intent of this summit is to perform an analysis
On Mon, 5 Feb 2018 12:07:06 -0500
Eric Mill via dev-security-policy
wrote:
> WoSign and StartCom are untrusted, but Certum is still trusted, right?
Yes.
In case that was unclear: The sentence "As we all know these are no
longer trusted by Mozilla, ..."
I have filed https://bugzilla.mozilla.org/show_bug.cgi?id=1435770
requesting an incident report from Certum.
On Mon, Feb 5, 2018 at 10:07 AM, Eric Mill via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> WoSign and StartCom are untrusted, but Certum is still trusted, right?
WoSign and StartCom are untrusted, but Certum is still trusted, right?
On Mon, Feb 5, 2018 at 11:08 AM, Hanno Böck via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Hi,
>
> I searched crt.sh for valid certificates vulnerable to the 2008 Debian
> weak key bug. (Only 2048
Hi,
I searched crt.sh for valid certificates vulnerable to the 2008 Debian
weak key bug. (Only 2048 bit.)
Overall I found 5 unexpired certificates.
Two certificates by Certum (reported on Saturday, Certum told me "We
have taken necessary steps to clarify this situation as soon as
possible",
Re Section 3.4, you seem to assume the domain holder is a ComSign
subscriber. In case of misissuance, that may not be true.
Cheers,
Julien
On Mon, Feb 5, 2018 at 4:23 PM, YairE via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Hi, thank you for pointing the above
> Here
Hi, thank you for pointing the above
Here is our response:
Section 1.3.2.5
We have corrected our CPS now that only limited actions could be performed by
DTP's
And they cannot perform domain validation.
Section 3.2.2.4
We are aware of the problems with the methods that have been raised, we
10 matches
Mail list logo