Let's start with the basics: what is the cert subject, serial number, date info? None of the four browser notices provided any of that. Surely there is no reason to keep it secret, is there?
Hi,
could we please have the certificates/chains involved in this, and could the corresponding bug (I assume there is one) maybe be made public? Especially of interest would be the dates when the certificates were issued, when they were first used for MitM, when this was reported to the CA by Google, and when the CA revoked the certificate. From what I understood, the hierarchy was as follows: ANSSI +-Treasury Sub-CA +-MitM-CA (installed on MitM device) +-Fake endpoint certificates Is this assumption correct? If so: Was the "Treasury Sub-CA" revoked, or only the "MitM-CA"? Which of these certs are the ones blacklisted by Mozilla? The publicly available information about this is currently quite limited. Having a meaningful debate on that basis is difficult. We already had a similar case once - Trustwave. The differences are that they admitted it before getting caught, and that since that incident, everyone remotely involved in PKI management should know that this is something you don't do. I would really love to see the explanation how someone accidentally issues and deploys a MitM Sub-CA... Kind regards, Jan _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy | ||
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
