Re: Certificates with 2008 Debian weak key bug

On Mon, Feb 5, 2018 at 4:33 PM, Alex Cohn via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I logged two of those five certificates (https://crt.sh/?id=308392091 > and https://crt.sh/?id=307753186) to Argon, as part of a project to > log every certificate in the censys.io

Re: Certificates with 2008 Debian weak key bug

I logged two of those five certificates (https://crt.sh/?id=308392091 and https://crt.sh/?id=307753186) to Argon, as part of a project to log every certificate in the censys.io database to a public CT log. I believe Censys found them by scanning all of IPv4 and grabbing the default (i.e. no SNI)

Re: Validation Summit

The CA/Browser Forum’s Bylaws at Section 2.3(c) allow the Forum Chair (currently me) to invite Interested Parties to participate in Working Group meetings. I hereby extend an invitation to Forum Interested Parties to participate in person or remotely in the all-day Validation Working Group

Validation Summit

Gerv and I have made, and the CA/Browser Forum has accepted a proposal to convene a "Validation Summit" on Tuesday March 6th during the next regularly scheduled CA/Browser Forum face-to-face meeting that will be held in the Washington DC area. The intent of this summit is to perform an analysis

Re: Certificates with 2008 Debian weak key bug

On Mon, 5 Feb 2018 12:07:06 -0500 Eric Mill via dev-security-policy wrote: > WoSign and StartCom are untrusted, but Certum is still trusted, right? Yes. In case that was unclear: The sentence "As we all know these are no longer trusted by Mozilla, ..."

Re: Certificates with 2008 Debian weak key bug

I have filed https://bugzilla.mozilla.org/show_bug.cgi?id=1435770 requesting an incident report from Certum. On Mon, Feb 5, 2018 at 10:07 AM, Eric Mill via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > WoSign and StartCom are untrusted, but Certum is still trusted, right?

Re: Certificates with 2008 Debian weak key bug

WoSign and StartCom are untrusted, but Certum is still trusted, right? On Mon, Feb 5, 2018 at 11:08 AM, Hanno Böck via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi, > > I searched crt.sh for valid certificates vulnerable to the 2008 Debian > weak key bug. (Only 2048

Certificates with 2008 Debian weak key bug

Hi, I searched crt.sh for valid certificates vulnerable to the 2008 Debian weak key bug. (Only 2048 bit.) Overall I found 5 unexpired certificates. Two certificates by Certum (reported on Saturday, Certum told me "We have taken necessary steps to clarify this situation as soon as possible",

Re: ComSign Root Renewal Request

Re Section 3.4, you seem to assume the domain holder is a ComSign subscriber. In case of misissuance, that may not be true. Cheers, Julien On Mon, Feb 5, 2018 at 4:23 PM, YairE via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi, thank you for pointing the above > Here

Re: ComSign Root Renewal Request

Hi, thank you for pointing the above Here is our response: Section 1.3.2.5 We have corrected our CPS now that only limited actions could be performed by DTP's And they cannot perform domain validation. Section 3.2.2.4 We are aware of the problems with the methods that have been raised, we