On Thu, 30 Jun 2016 21:44:02 +0200 Christiaan Ottow <[email protected]> wrote:
> > On 6/30/16 8:30 AM, Rob Stradling wrote: > > > https://www.computest.nl/blog/startencrypt-considered-harmful-today/ > > > > > > Eddy, is this report correct? Are you planning to post a public > > > incident report? > > > > Does StartCom honor CAA? > > > > Does StartCom publish to CT logs? > > > > How many mis-issued certs were obtained by the researchers? Has > > there been an investigation to see if there were similarly > > mis-issued certs prior to this report? > > > > Have those certs been revoked? > > > > -Dan Veditz > > > > The certificates we had issuedto us as proof of concept (only for > our own domains), were not revoked and we don't see them in the CT > logs. However, we informed StartCom that we had only issued > certificates for domains under our control, so I can imagine no red > flags were raised by their helpdesk. Hi Christiaan, First of all, thank you for conducting this research! That's very interesting that you did not see the certs in CT, since it would contradict Startcom's claim that they log all certs: https://www.startssl.com/NewsDetails?date=20160323 I have a couple questions: 1. Did you check the CT logs at least 24 hours after the certificates were issued? If not, the log entries might not have been incorporated yet. 2. Do your certificates contain the embedded SCT extension (OID 1.3.6.1.4.1.11129.2.4.2)? If so, would you be willing to provide the contents of the extension? Regards, Andrew _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
