Compromised certificate that the owner didn't wish to revoke (signed by GeoTrust)

As far as I know, GeoTrust is not at fault here. They just signed this (domain validated) certificate, and I don't know if they've been notified of it before. That said, I don't have GeoTrust's contact info, and I'm presuming that someone here does. Information here comes from

Re: Reuse of serial numbers

On 9/6/2016 04:59, Ben Laurie wrote: > On 1 September 2016 at 11:29, Peter Gutmann wrote: >> Rob Stradling writes: >> I guess it makes them easy to revoke, if a single revocation can kill 313 certs at once. >>> That's true. >> Hey,

Re: Compromised certificate that the owner didn't wish to revoke (signed by GeoTrust)

On 9/12/2016 20:20, Jakob Bohm wrote: > On 13/09/2016 03:03, Kyle Hamilton wrote: >> I would prefer not to see a securelogin-.arubanetworks.com >> name, because such makes it look like Aruba Networks is operating the >> captive portal. If (for whatev

Re: Compromised certificate that the owner didn't wish to revoke (signed by GeoTrust)

PKI Policy Manager, Symantec Corporation >> >> -----Original Message- >> From: Jeremy Rowley [mailto:jeremy.row...@digicert.com] >> Sent: Tuesday, September 06, 2016 7:06 PM >> To: Steve Medin <steve_me...@symantec.com> >> Cc: Gervase Markham <g...@mozilla.o

Re: Incidents involving the CA WoSign

I do have to ask this, though: WoSign has at least one EV issuer. I do not know if there is an issuer with EV permissions in NSS, but WoSign does have an EV code signing issuer in the Microsoft root program. Has this issuer been checked to ensure that it could not have misissued certificates?

Re: Reuse of serial numbers by StartCom

On 9/4/2016 02:04, Eddy Nigg wrote: > On 09/02/2016 07:02 PM, Nick Lamb wrote: >> On Friday, 2 September 2016 08:50:02 UTC+1, Eddy Nigg wrote: >>> Lets speak about relying parties - how does this bug affect you? >> As a relying party I am entitled to assume that there is no more than >> one

Francisco Partners acquires Comodo certificate authority business

http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: Francisco Partners acquires Comodo certificate authority business

), or is it a case of "rumor mill reported as fact"? -Kyle H On 2017-10-31 06:21, Kyle Hamilton wrote: http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business ___ dev-security-policy mailing list dev-secur

Re: Digicert issued certificate with let's encrypts public key

CABForum's current Basic Requirements, section 3.2.1, is titled "Method to prove possession of private key". It is currently blank. A potential attack without Proof of Possession which PKIX glosses over could involve someone believing that a signature on a document combined with the

Re: Digicert issued certificate with let's encrypts public key

That is my reading of the situation, that they're not doing an actual certification of an enrollment without verifying the actual key-identity binding. In addition, I'm wondering if the concept of "third-party attestation" (of identity) is even a thing anymore, given that most CAs issue

Re: Digicert issued certificate with let's encrypts public key

On Mon, May 18, 2020, 19:46 Ryan Sleevi wrote: > On Mon, May 18, 2020 at 7:55 PM Kyle Hamilton via dev-security-policy > wrote: > > > Regardless of that potential con, though, there is one very important > thing > > which Proof of Possession is good for, regardless