Re: GoDaddy Underscore Revocation Disclosure

2019-02-08 Thread Santhan Raj via dev-security-policy
On Friday, February 8, 2019 at 7:25:08 PM UTC-8, Jakob Bohm wrote: > On 09/02/2019 01:36, Santhan Raj wrote: > > On Friday, February 8, 2019 at 4:09:32 PM UTC-8, Joanna Fox wrote: > >> I agree on the surface this bug appears to be the same, but the root cause > >> is a different. The issue for

Re: GoDaddy Underscore Revocation Disclosure

2019-02-08 Thread Jakob Bohm via dev-security-policy
On 09/02/2019 01:36, Santhan Raj wrote: On Friday, February 8, 2019 at 4:09:32 PM UTC-8, Joanna Fox wrote: I agree on the surface this bug appears to be the same, but the root cause is a different. The issue for bug 1462844 was a specific status not counting as active when it was. To mitigate

Re: GoDaddy Underscore Revocation Disclosure

2019-02-08 Thread Joanna Fox via dev-security-policy
I agree on the surface this bug appears to be the same, but the root cause is a different. The issue for bug 1462844 was a specific status not counting as active when it was. To mitigate this issue, we updated the query to include the missing status. However, we are in the process of

Re: GoDaddy Underscore Revocation Disclosure

2019-02-08 Thread Ryan Sleevi via dev-security-policy
Good catch, thanks Wayne! I also realized it sounds very similar to https://bugzilla.mozilla.org/show_bug.cgi?id=1526154 from DigiCert, which similarly included an overly-restrictive query. It's also similar to Symantec's incident investigation in

Re: GoDaddy Underscore Revocation Disclosure

2019-02-08 Thread Wayne Thayer via dev-security-policy
Perhaps more concerning, this sounds a lot like bug #1462844 in which misissued certificates were reported that had not been found and revoked despite GoDaddy having previously scanned their database for the issue. GoDaddy never identified or described how they would remediate the cause of that

Re: GoDaddy Underscore Revocation Disclosure

2019-02-08 Thread Ryan Sleevi via dev-security-policy
Thanks Joanna, Just to make sure - this is https://bugzilla.mozilla.org/show_bug.cgi?id=1524815 correct? If so, this sounds remarkably similar to the root cause analysis that Entrust shared, in https://bugzilla.mozilla.org/show_bug.cgi?id=1521520 . Similar to that issue, please provide an update

GoDaddy Underscore Revocation Disclosure

2019-02-08 Thread Joanna Fox via dev-security-policy
GoDaddy received a certificate problem report on 1/29/2019 for 2 unrevoked unexpired certificates have underscores in the DNS name that did not meet the January 15th deadline for revocation. The certificates reported are as follows: https://crt.sh/?opt=zlint=626981823

Re: Discrepancy on Address

2019-02-08 Thread identrust--- via dev-security-policy
On Friday, February 8, 2019 at 4:20:14 AM UTC-5, Kurt Roeckx wrote: > On 2019-02-08 1:04, identr...@gmail.com wrote: > > On Thursday, February 7, 2019 at 6:47:03 PM UTC-5, iden...@gmail.com wrote: > >> On 04/04/2018 we found a discrepancy in the address values for some SSL > >> certificates. A

Re: Discrepancy on Address

2019-02-08 Thread Kurt Roeckx via dev-security-policy
On 2019-02-08 1:04, identr...@gmail.com wrote: On Thursday, February 7, 2019 at 6:47:03 PM UTC-5, iden...@gmail.com wrote: On 04/04/2018 we found a discrepancy in the address values for some SSL certificates. A formal incident Report was just posted: