See https://www.imperialviolet.org/binary/anssi-chain.txt.
This is the part of the chain that Google is releasing. On Mon, Dec 9, 2013 at 2:39 PM, <[email protected]> wrote: > Let's start with the basics: what is the cert subject, serial number, date > info? None of the four browser notices provided any of that. Surely there > is no reason to keep it secret, is there? > > *From: *Jan Schejbal > *Sent: *Monday, December 9, 2013 1:19 PM > *To: *[email protected] > *Reply To: *[email protected] > *Subject: *Re: Revoking Trust in one ANSSI Certificate > > Hi, > could we please have the certificates/chains involved in this, and could > the corresponding bug (I assume there is one) maybe be made public? > Especially of interest would be the dates when the certificates were > issued, when they were first used for MitM, when this was reported to > the CA by Google, and when the CA revoked the certificate. > > From what I understood, the hierarchy was as follows: > > ANSSI > +-Treasury Sub-CA > +-MitM-CA (installed on MitM device) > +-Fake endpoint certificates > > Is this assumption correct? If so: > Was the "Treasury Sub-CA" revoked, or only the "MitM-CA"? > Which of these certs are the ones blacklisted by Mozilla? > > The publicly available information about this is currently quite > limited. Having a meaningful debate on that basis is difficult. > > > We already had a similar case once - Trustwave. The differences are that > they admitted it before getting caught, and that since that incident, > everyone remotely involved in PKI management should know that this is > something you don't do. > > I would really love to see the explanation how someone accidentally > issues and deploys a MitM Sub-CA... > > Kind regards, > Jan > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > > -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
