On Dec 25 2008, 12:36 am, Kyle Hamilton aerow...@gmail.com wrote:
To be honest, Mozilla doesn't distribute keytool with Firefox, which
means that I have to try to go into the
(unbatchable) interface
this is false.
the ui is built as xul with js bindings to c++ objects which use idl
to expose
On Dec 31 2008, 12:28 am, Kyle Hamilton aerow...@gmail.com wrote:
(note: unknown_issuer without talking at all about who the issuer
claims to be
you're missing a critical point:
the issuer is something about which we know nothing.
someone could claim issuer: GOD or issuer: POTUS or issuer:
Kyle,
Kyle Hamilton wrote:
On Wed, Dec 24, 2008 at 2:46 PM, Eddy Nigg eddy_n...@startcom.org wrote:
On 12/25/2008 12:36 AM, Kyle Hamilton:
To be honest, Mozilla doesn't distribute keytool with Firefox, which
means that I have to try to go into the (unbatchable) interface and
remove the flags
Kyle,
Kyle Hamilton wrote:
I am minded of the CRL entry reason remove from CRL. Does NSS
properly handle that reason-code?
The reason code remove from CRL is only applicable to delta CRLs. In
addition, this is only allowed if the certificate had the status of on
hold in the base CRL. You
* Eddy Nigg:
just because CAs start to play games with each other. This is not
about security proper. You're trying to pull us into a PR attack
on one of your competitors, thereby willingly reducing confidence
in ecommerce. (I'm exaggerating a bit, of course.)
Exactly the opposite is
Gervase Markham wrote, On 2008-12-27 05:07:
Hi John,
You raise some important questions, but it's worth having clarity on a
few matters of fact.
John Nagle wrote:
1.AddTrust, a company which apparently no longer exists, has an
approved
root CA certificate. This in itself is
On 01/03/2009 06:41 PM, Florian Weimer:
I can understand that point of view. But what you seem to be asking
is that browser vendors take the role of judges, regulating CA
behavior. Shouldn't that be better left to the court system, keeping
Mozilla out of the loop? What advantage does Mozilla
On 27.12.2008 13:34, Gervase Markham wrote:
sayrer wrote:
The truth is that we are basically unable to act without a lot of
collateral damage. We should keep this in mind with future security
technology. Relying on companies willing to take money for doing
absolutely nothing (not even the
* Michael Ströder:
Florian Weimer wrote:
Even if you've got the certificate, you need to attack IP routing or
DNS. If you can do that, chances are that you can mount this attack
against one of the domain-validating RAs, and still receive a
certificate. So the browser PKI is currently
Florian Weimer wrote, On 2008-12-30 13:04:
* Michael Ströder:
Florian Weimer wrote:
Even if you've got the certificate, you need to attack IP routing or
DNS. If you can do that, chances are that you can mount this attack
against one of the domain-validating RAs, and still receive a
Ben Bucksch wrote:
We try to train users to check that the bar is green (on sites where it
was green before), and not use the site when it's merely blue.
Otherwise, EV is useless, as the scammer could get a, say, CertStar
cert, to fake an EV site, right? Only when people start getting
On Tue, Dec 30, 2008 at 1:04 PM, Florian Weimer f...@deneb.enyo.de wrote:
BCP 38 requires that active MITM attacks don't work on LANs. LANs
which violate that and are under attack are typically not very usable:
Search engines blocks you due to automated queries, DHCP and DNS
delivers data
Michael Ströder wrote:
Given the large amount of self-generated server certs this problem
already exists.
Large number != large % of visits. A million Joe Publics might use the
Internet for 5 years to do their online shopping without once
encountering a self-signed cert or a certificate error.
sayrer wrote:
The truth is that we are basically unable to act without a lot of
collateral damage. We should keep this in mind with future security
technology. Relying on companies willing to take money for doing
absolutely nothing (not even the bare minimum they agreed to) is not a
pleasant
On 12/27/2008 02:16 PM, Ian G:
Indeed, this is the Verisign buyout model; outsource something new,
get huge, get bought out by Verisign.
What has that to do exactly with what Paul agreed to?
It doesn't matter in business principle whether it outsources a function
to a reseller, to its
On 12/27/2008 02:34 PM, Gervase Markham:
One of the points of EV was to allow us to act against a CA without
massive collateral damage. We can remove EV status from a root without
disabling the root entirely.
Which unfortunately isn't really effective for the issue we are facing
today.
On 27/12/08 02:21, Paul C. Bryan wrote:
On Dec 26, 4:40 pm, Ian Gi...@iang.org wrote:
With respect:
This is a forum for the discussion of technical, crypto, root and general PKI
issues, by either dictat or convention. It is not a forum for the airing of
general
business complaints.
Are
Ian G wrote:
On 26/12/08 00:36, Michael Ströder wrote:
Paul Hoffman wrote:
At 7:16 PM +0100 12/25/08, Michael Ströder wrote:
I'd tend to punish a rogue CA by removing their root CA cert from NSS.
I do not see a rogue CA. The evidence of the posts here suggests a flaw
leading to false
ro...@comodo.com wrote:
On Dec 24, 2:13 am, Paul C. Bryan em...@pbryan.net wrote:
2. Are resellers subject to the same audits that Comodo presumably had
to undergo to get its root certs added to Mozilla? Who performs, and
who verifies such audits? How often are they performed?
No, the RAs are
Gervase Markham wrote:
We (Mozilla) would expect Comodo to be issuing certificates under any
root it owns, whether the name on the root is its own or another's,
in compliance with the Mozilla CA policy and the audits it has
passed.
[..]
There are root certificates in the store which bear the
Eddy Nigg wrote:
On 12/27/2008 02:34 PM, Gervase Markham:
One of the points of EV was to allow us to act against a CA without
massive collateral damage. We can remove EV status from a root without
disabling the root entirely.
Which unfortunately isn't really effective for the issue we are
John Nagle wrote:
As a user of SSL certificates in our SiteTruth system, which
attempts to identify and rate the business behind a web site, we're
concerned about CA reliability and trust. We've been using Mozilla's
approved root cert list for our system, and are considering whether
we
On 27/12/08 13:34, Gervase Markham wrote:
sayrer wrote:
The truth is that we are basically unable to act without a lot of
collateral damage. We should keep this in mind with future security
technology. Relying on companies willing to take money for doing
absolutely nothing (not even the bare
On 27/12/08 13:43, Eddy Nigg wrote:
On 12/27/2008 02:16 PM, Ian G:
Indeed, this is the Verisign buyout model; outsource something new,
get huge, get bought out by Verisign.
What has that to do exactly with what Paul agreed to?
It doesn't matter in business principle whether it outsources a
Ian G wrote:
On 27/12/08 13:43, Eddy Nigg wrote:
So? Mozilla really shouldn't care about the business revenues of some
CAs. How is that relevant?
Well, a normal lesson of business is that we can't get business people
to agree to something if their revenues go down... PKI is business only
Frank Hecker wrote:
John Nagle wrote:
2.CertStar must separately undergo an audit to WebTrust standards,
and the audit report must be published.
Certstar isn't a CA, and thus the WebTrust for CAs criteria are not
necessarily a good fit for it.
If a CA delegates some tasks to a
* Hendrik Weimer:
Frank Hecker hec...@mozillafoundation.org writes:
My intent is to balance the disruption that would be caused by pulling
a root vs. the actual security threat to users. Right now we have no
real idea as to the extent of the problem (e.g., how many certs might
have been
On 12/27/2008 5:07 AM, Gervase Markham wrote [in part]:
Hi John,
You raise some important questions, but it's worth having clarity on a
few matters of fact.
John Nagle wrote [also in part]:
1.AddTrust, a company which apparently no longer exists, has an
approved
root CA
On 12/27/2008 5:48 AM, Michael Ströder wrote [in part]:
ro...@comodo.com wrote [in part]:
On Dec 24, 2:13 am, Paul C. Bryan em...@pbryan.net wrote:
2. Are resellers subject to the same audits that Comodo presumably had
to undergo to get its root certs added to Mozilla? Who performs, and
who
Ian G wrote:
That earlier story has no real place here, IMHO. This is a forum for
the discussion of technical, crypto, root and general PKI issues, by
either dictat or convention. It is not a forum for the airing of
general business complaints.
I agree that the effects of this whole story
On 12/27/2008 05:10 PM, Michael Ströder:
Frank Hecker wrote:
(Plus the expense of a full WebTrust for
CAs audit is likely an order of magnitude higher than Certstar's
probable revenues.)
It's Comodo's business decision whether they delegate some tasks to an
external RA or not and whether the
On 12/27/2008 05:38 PM, Florian Weimer:
Isn't that, by itself, a very good reason to take immediate action?
Security should be default-fail rather than default-pass.
This is not about security, this is about the presence or absence of
an obscure browser warning.
Huuu? Have you understood the
On 12/27/2008 03:07 PM, Gervase Markham:
This is extremely common. Certificates change hands. Failing to honour
root certificates which are no longer owned by the companies which
created them would break a significant proportion of the web. Microsoft
does not have a policy preventing this.
In
Florian Weimer wrote:
Even if you've got the certificate, you need to attack IP routing or
DNS. If you can do that, chances are that you can mount this attack
against one of the domain-validating RAs, and still receive a
certificate. So the browser PKI is currently irrelevant for practical
On 12/27/2008 11:07 PM, Michael Ströder:
I meant the RA should also be audited during the CA audit.
This in turn would be similar to this
https://wiki.mozilla.org/CA:Problematic_Practices#Allowing_external_entities_to_operate_unconstrained_subordinate_CAs
At this stage I'm not proposing
On 12/27/2008 10:36 PM, Florian Weimer:
As a downstream distributor of Mozilla code,
StartCom is also a downstream distributor of Mozilla code...
I'd hate to roll out updates (especially security updates)
...which happens every two month anyway...
just because CAs start to play games
I am a user. I am worried about MITM attacks.
Unlike most users, I'm technically and legally savvy enough to know:
1) Why to perform my due diligence
2) How to perform my due diligence
3) How to add the root into my store
However, I have additional problems that I can't deal with through
the
https://bugzilla.mozilla.org/show_bug.cgi?id=426575
UTN-UserFIRST-Hardware is enabled for EV per that bug.
-Kyle H
On Thu, Dec 25, 2008 at 9:59 AM, Frank Hecker
hec...@mozillafoundation.org wrote:
Kyle Hamilton wrote:
What is the effect of this problem on the request to enable the
On Dec 24, 2:13 am, Paul C. Bryan em...@pbryan.net wrote:
On Dec 23, 5:56 pm, ro...@comodo.com wrote:
Some questions:
1. Does Comodo take full responsibility for the actions of its
resellers? If so, how should the repercussions of such failures be to
Comodo?
Comodo accepts responsibility for
See, Robin, my thought is this:
You've already shown that it's possible for the RA function to bypass
all controls. At this point, because they're not subject to the same
audits that Comodo is, and because the last WebTrust audit that anyone
here can find any record of is in 2007, I find it
On 12/26/2008 11:38 PM, Kyle Hamilton:
You've already shown that it's possible for the RA function to bypass
all controls. At this point, because they're not subject to the same
audits that Comodo is, and because the last WebTrust audit that anyone
here can find any record of is in 2007, I find
Thanks for your response Robin.
On Dec 26, 1:10 pm, ro...@comodo.com wrote:
Comodo accepts responsibility for the work of its RAs in the
validation that they do leading to the issuance of certificates under
our root certificates.
You failed to answer the other half of this question. What
On Dec 26, 2:18 pm, Paul C. Bryan em...@pbryan.net wrote:
This link responds with an error result.
Apologies. Disregard my statement about the link error. I realized
it's two links. I will now go drink some more coffee to increase my
alertness level.
On 26/12/08 22:38, Kyle Hamilton wrote:
See, Robin, my thought is this:
You've already shown that it's possible for the RA function to bypass
all controls. At this point, because they're not subject to the same
audits that Comodo is, and because the last WebTrust audit that anyone
here can
On 26/12/08 02:28, Gen Kanai wrote:
On Dec 26, 2008, at 1:49 AM, Frank Hecker wrote:
Beyond that? It's somewhat of an open question.
Frank
Mozilla needs to have a concrete policy and procedures in place so that
there is no question as to what the penalties would be for future
actions of
On Fri, Dec 26, 2008 at 3:12 PM, Ian G i...@iang.org wrote:
(Although I think, it is a singular observation: there is no effective
dispute resolution for this case or any other. What does that say?)
That there is no reason to trust a system without dispute resolution procedures.
-Kyle H
On 27/12/08 00:15, Kyle Hamilton wrote:
On Fri, Dec 26, 2008 at 3:12 PM, Ian Gi...@iang.org wrote:
(Although I think, it is a singular observation: there is no effective
dispute resolution for this case or any other. What does that say?)
That there is no reason to trust a system without
On 12/27/2008 12:54 AM, Ian G:
We can no more prevent bad certs than we can stop the winter from
coming. The point is to put in place economically reasonable policies
and practices that meet an appropriate balance of security versus cost.
Yeah right! It really depends what the right balance
On 27/12/08 00:53, Eddy Nigg wrote:
On 12/27/2008 12:54 AM, Ian G:
We can no more prevent bad certs than we can stop the winter from
coming. The point is to put in place economically reasonable policies
and practices that meet an appropriate balance of security versus cost.
Yeah right! It
On Dec 26, 4:40 pm, Ian G i...@iang.org wrote:
With respect:
This is a forum for the discussion of technical, crypto, root and general PKI
issues, by either dictat or convention. It is not a forum for the airing of
general
business complaints.
Are you characterizing this issue as merely a
On 12/27/2008 02:40 AM, Ian G:
On 27/12/08 00:53, Eddy Nigg wrote:
Yeah right! It really depends what the right balance is, ehhh?!
There is no right balance just like there is no world peace. Security
is an economic phenomena, not a beauty pageant.
No, security is an inconvenience, but
ro...@comodo.com wrote, On 2008-12-26 03:28:
We have finished our initial investigation on the certificates
issued by Certstar.
Of the 111 orders that had been placed through Certstar there remain
13 orders for which we have still not been able to gather adequate
evidence of the
I am minded of the CRL entry reason remove from CRL. Does NSS
properly handle that reason-code?
If so, a temporary revocation of all unknown certificates might be a
sound practice, removing them from the CRL as they're found and
verified.
We are running up against problems that are caused by
On Dec 26, 5:38 pm, Nelson B Bolyard nel...@bolyard.me wrote:
Clearly several participants in this discussion were surprised that a CA would
delegate the duty of validating domain control to an RA, and some opined
that a CA ought to perform that duty itself.
I certainly fall in that category.
Kyle Hamilton wrote:
I then have to click at least six
times to try to figure out what's going on, and then when I do find a
site that's protected by an unknown CA certificate (OR that I've
removed the trust bits on), I have to do the following:
1) Click 'add an exception'
2) click 'get
Kyle Hamilton wrote:
(Especially if Comodo delegates full Registration Authority capability
without verification, which seems to be the case -- though they could
have simply issued a sub-CA certificate.)
Delegating the RA's tasks is still different from issuing a sub-CA cert
since with a
Frank Hecker wrote:
From my point of view I'd wait on more
information regarding items 2 and 3 above before making a recommendation.
Could you please define a time-frame within Comodo MUST react?
Ciao, Michael.
___
dev-tech-crypto mailing list
Kyle Hamilton wrote:
I hate to say this, but this IS The Worst-Case Scenario. A CA has
gone rogue and issued certificates that violate its standards, and the
standards of the root programs that it's a part of -- it is true that
Comodo didn't /intend/ to go rogue, but it has, and we can't
Justin Dolske wrote:
...I think there's some risk that if a Firefox update suddenly breaks a
large swath of legitimate SSL sites, that could end up training users to
ignore the problem.
Given the large amount of self-generated server certs this problem
already exists. Ultimately you cannot
doug...@theros.info wrote:
I, for example, have a ssl cert from comodo reseller, and they DO have
made all the validation steps.
My site, a legitimate one, would be in trouble with this. Are you all
sure that it is a good measure to just knock off the root cert or
security bit?
please,
Kyle Hamilton wrote:
[..many good observations snipped..]
Because of this, my recommendation that Comodo's trust bits be removed
until a full audit of their practices (and a full audit of all issued
certificates) stands, and I am that much more resolute in my belief.
Full ack!
Ciao, Michael.
On 12/25/2008 02:39 PM, Michael Ströder:
doug...@theros.info wrote:
I, for example, have a ssl cert from comodo reseller, and they DO have
made all the validation steps.
My site, a legitimate one, would be in trouble with this. Are you all
sure that it is a good measure to just knock off the
On 24/12/08 15:17, Frank Hecker wrote:
Gen Kanai wrote:
More discussion on this topic over at Programming Reddit:
http://www.reddit.com/r/programming/comments/7lb96/ssl_certificate_for_mozillacom_issued_without/
Unfortunately the discussion devolved (as it always does :-) into the
merits of
Michael Ströder wrote:
Frank Hecker wrote:
From my point of view I'd wait on more
information regarding items 2 and 3 above before making a recommendation.
Could you please define a time-frame within Comodo MUST react?
Comodo (in the person of Robin Alden) has already made a reply:
Kyle Hamilton wrote:
What is the effect of this problem on the request to enable the
UTN-UserFirst-Hardware root for EV,
https://bugzilla.mozilla.org/show_bug.cgi?id=401587 ?
I think (but don't have time to confirm right at the moment) that that
request is moot. As far as I know, Comodo EV
Frank Hecker wrote:
Michael Ströder wrote:
Frank Hecker wrote:
From my point of view I'd wait on more
information regarding items 2 and 3 above before making a
recommendation.
Could you please define a time-frame within Comodo MUST react?
Comodo (in the person of Robin Alden) has already
I've already stated my preference.
To reiterate:
Actually, I think it's very important that the accounting include this:
for each name (not just certificate, but name in
subjectAlternativeNames) that has been certified, a connection to the
TLS ports should be made, and the certificate presented
At 11:13 PM -0800 12/24/08, Daniel Veditz wrote:
Paul Hoffman wrote:
At 1:16 AM +0200 12/24/08, Eddy Nigg wrote:
Select Preferences - Advanced - View Certificates - Authorities.
Search for AddTrust AB - AddTrust External CA Root and click
Edit. Remove all Flags.
Doesn't this seem like a
At 7:16 PM +0100 12/25/08, Michael Ströder wrote:
I'd tend to punish a rogue CA by removing their root CA cert from NSS.
Maybe this serves as a good example to other CAs that the Mozilla CA
policy is really enforced. Otherwise nobody will care.
This is Firefox we're talking about, not IE. Do you
On 12/25/2008 08:16 PM, Michael Ströder:
The question is, what else do what want Comodo to do in this case?
What really strikes me is that this case was only
detected by Eddy because of Certstar's spam e-mails.
Even though I believe that Robin and his crew are really angry with me
right
On 12/26/2008 12:24 AM, Paul Hoffman:
At 7:16 PM +0100 12/25/08, Michael Ströder wrote:
I'd tend to punish a rogue CA by removing their root CA cert from NSS.
Maybe this serves as a good example to other CAs that the Mozilla CA
policy is really enforced. Otherwise nobody will care.
This is
Paul Hoffman wrote:
At 7:16 PM +0100 12/25/08, Michael Ströder wrote:
I'd tend to punish a rogue CA by removing their root CA cert from NSS.
Maybe this serves as a good example to other CAs that the Mozilla CA
policy is really enforced. Otherwise nobody will care.
This is Firefox we're
On Dec 26, 2008, at 1:49 AM, Frank Hecker wrote:
Beyond that? It's somewhat of an open question.
Frank
Mozilla needs to have a concrete policy and procedures in place so
that there is no question as to what the penalties would be for future
actions of this kind.
I personally like John
On 12/26/2008 03:28 AM, Gen Kanai:
I personally like John Nagle's proposal from earlier in this thread:
http://groups.google.com/group/mozilla.dev.tech.crypto/msg/9443ba781a669879
Gen, one thing to note, that Comodo most likely performs a yearly
WebTrust audit, though the last one I can see
On 26/12/08 00:36, Michael Ströder wrote:
Paul Hoffman wrote:
At 7:16 PM +0100 12/25/08, Michael Ströder wrote:
I'd tend to punish a rogue CA by removing their root CA cert from NSS.
I do not see a rogue CA. The evidence of the posts here suggests a flaw
leading to false certs was found
Eddy Nigg wrote:
My blog article and exposure has provoked somebody to come forward with
additional evidences concerning the reseller activities of Comodo. In
order to protect the innocent I decided to provide this information
confidentially to Frank Hecker for now. Stay tuned.
To expand on
On Wed, Dec 24, 2008 at 6:17 AM, Frank Hecker
hec...@mozillafoundation.org wrote:
Gen Kanai wrote:
More discussion on this topic over at Programming Reddit:
http://www.reddit.com/r/programming/comments/7lb96/ssl_certificate_for_mozillacom_issued_without/
Unfortunately the discussion
At 9:14 AM -0800 12/24/08, Kyle Hamilton wrote:
I'd like to see an extension that allows other certificates (for the
same public key) to be included in a certificate (self-signed or not).
Are you asking for a Mozilla extension or a PKIX extension? If the latter, none
is needed: it is already
In the terminology of ASN.1 and PKIX, I want a standardized PKIX
extension that allows for a SEQUENCE OF Certificate within the
tbsCertificate structure.
I'm trying to figure out how I'm supposed to extract all the
certificates from my database without any version of keytool that I
can find
As a user of SSL certificates in our SiteTruth system, which
attempts to identify and rate the business behind a web site, we're
concerned about CA reliability and trust. We've been using Mozilla's
approved root cert list for our system, and are considering whether
we should continue to do
Paul Hoffman wrote, On 2008-12-24 09:55:
At 9:14 AM -0800 12/24/08, Kyle Hamilton wrote:
I'd like to see an extension that allows other certificates (for the
same public key) to be included in a certificate (self-signed or not).
Are you asking for a Mozilla extension or a PKIX extension? If
On Wed, Dec 24, 2008 at 1:46 PM, Nelson B Bolyard nel...@bolyard.me wrote:
Paul Hoffman wrote, On 2008-12-24 09:55:
At 9:14 AM -0800 12/24/08, Kyle Hamilton wrote:
I'd like to see an extension that allows other certificates (for the
same public key) to be included in a certificate (self-signed
I'm also going to state that yes, I know this, because I HAVE DONE IT.
And I wouldn't wish that hell on anyone who didn't have a DETAILED
knowledge of how the X.509 model operates, and I wouldn't wish the
user-interface hell on ANYONE.
-Kyle H
On Wed, Dec 24, 2008 at 2:36 PM, Kyle Hamilton
On 12/25/2008 12:36 AM, Kyle Hamilton:
To be honest, Mozilla doesn't distribute keytool with Firefox, which
means that I have to try to go into the (unbatchable) interface and
remove the flags one. by. one. by. one. and then select the next
certificate and remove those trust flags, and the next,
On Wed, Dec 24, 2008 at 2:46 PM, Eddy Nigg eddy_n...@startcom.org wrote:
On 12/25/2008 12:36 AM, Kyle Hamilton:
To be honest, Mozilla doesn't distribute keytool with Firefox, which
means that I have to try to go into the (unbatchable) interface and
remove the flags one. by. one. by. one. and
Kyle Hamilton wrote, On 2008-12-24 14:53:
On Wed, Dec 24, 2008 at 2:46 PM, Eddy Nigg eddy_n...@startcom.org wrote:
On 12/25/2008 12:36 AM, Kyle Hamilton:
To be honest, Mozilla doesn't distribute keytool with Firefox, which
means that I have to try to go into the (unbatchable) interface and
On Dec 23, 10:33 pm, Paul Hoffman phoff...@proper.com wrote:
At 1:16 AM +0200 12/24/08, Eddy Nigg wrote:
Select Preferences - Advanced - View Certificates - Authorities. Search
for AddTrust AB - AddTrust External CA Root and click Edit. Remove all
Flags.
Put more rudely, why do you expect
At 11:35 AM -0800 12/24/08, Kyle Hamilton wrote:
In the terminology of ASN.1 and PKIX, I want a standardized PKIX
extension that allows for a SEQUENCE OF Certificate within the
tbsCertificate structure.
That makes no sense to me, but I would have to see a complete proposal to
understand why you
At 1:46 PM -0800 12/24/08, Nelson B Bolyard wrote:
Paul Hoffman wrote, On 2008-12-24 09:55:
- Remove all trust anchors one-by-one
- Add your single trust anchor
- Sign the certs of any CA you want
- Add those signed certs to the pre-loaded validation path (not root)
cert list
Of course,
Paul Hoffman wrote:
At 1:16 AM +0200 12/24/08, Eddy Nigg wrote:
Select Preferences - Advanced - View Certificates - Authorities.
Search for AddTrust AB - AddTrust External CA Root and click
Edit. Remove all Flags.
Doesn't this seem like a better solution than sue Mozilla for
theoretical
Hi all,
A glitch in our validation system has today caused a certificate to be
issued to a person who successfully abused our system.
We have now strengthened our domain validation system so that such
abuse cannot happen again. Comodo has handled this issue in a
professional way by invoking the
Hi Patricia,
patri...@certstar.com schrieb:
We have now strengthened our domain validation system so that such
abuse cannot happen again.
just curious: How do you normally validate domain ownership?
TIA,
Thorsten
___
dev-tech-crypto mailing list
On 12/23/2008 10:48 AM, patri...@certstar.com:
Hi all,
A glitch in our validation system has today caused a certificate to be
issued to a person who successfully abused our system.
It's not me who abused your system, it's your company which sent out
illegal, misleading emails to our
For those interested, Frank opened a bug to investigate this incident:
https://bugzilla.mozilla.org/show_bug.cgi?id=470897
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
___
dev-tech-crypto
On 12/23/2008 07:09 AM, Frank Hecker:
There are two general reasons for pulling a root, to address a clear and
present danger to Mozilla users, and to punish a CA and deter others. My
concern right now is with the former. I see at least three issues in
relation to that:
1. Issuance of further
Patricia, I believe it's important to realize a couple of things:
1) An unsolicited commercial email (UCE) message was sent from your
company to the party in question suggesting that there already existed
a relationship between your company and the party in question. This
is obvious from the
Eddy Nigg wrote:
For those interested, Frank opened a bug to investigate this incident:
https://bugzilla.mozilla.org/show_bug.cgi?id=470897
Actually Nelson opened this bug.
Frank
--
Frank Hecker
hec...@mozillafoundation.org
___
dev-tech-crypto
On 12/23/2008 03:05 PM, Frank Hecker:
Eddy Nigg wrote:
For those interested, Frank opened a bug to investigate this incident:
https://bugzilla.mozilla.org/show_bug.cgi?id=470897
Actually Nelson opened this bug.
Thanks for that. More into this story...
...all our employees coming the our
Frank Hecker wrote:
Do you mean the UTN-UserFirst-Hardware root? According to the screenshot
on your blog post, that's the root the bogus cert chains up to. Also, if
we were to take action of this general sort (as a hypothetical), what
about adding the PositiveSSL CA cert to NSS with the SSL
Are we going to receive information from Comodo regarding how many
other Comodo resellers may be in a similar position to Certstar?
Are we going to receive information from Certstar as to how many other
certs may have been issued in error?
How do we verify the claims from Comodo or
1 - 100 of 139 matches
Mail list logo