-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nick,
I misspoke in my reply. The certificate has been revoked and it has not been re-issued. We have filed a post-stopping defect (Cisco Bug ID CSCve90409) against the product to ensure that the issue is not re-introduced. The certificate in question was never used to transfer customer or service provider information over a public network. The engineering team utilized the cert to protect an IPC channel between a users browser and a background process running on the host. Rest assured that if the Cisco PSIRT or Cisco PKI teams had known that the certificate would be exposed in this manner we would have prevented it. We have folks working with the responsible engineers to insure they understand the implications of their previous design. Regards, - -Troy -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAllJYz4ACgkQ1ANYX3sx7SAkVgCeLwuYBx2LceI/SFU+kcSUFtHB JysAoPm5UtGh+5gzzi/4Gzfdgj2UcGcL =YznP -----END PGP SIGNATURE----- On Monday, June 19, 2017 at 8:50:24 AM UTC-4, Nick Lamb wrote: > On Monday, 19 June 2017 09:32:20 UTC+1, [email protected] wrote: > > The compromised certificate for drmlocal.cisco.com serial number > > 6170CE2EC8B7D88B4E2EB732E738FE3A67CF672 has been revoked. A new > > certificate is being reissued to drmlocal.cisco.com and we will work with > > the developers of the YES video player to ensure that the issue does not > > happen again. > > Troy, the name makes me suspicious, what - other than this trick which isn't > a permissible use - was the drmlocal.cisco.com name ever for in the first > place? If it doesn't have any legitimate use, there was no purpose in seeking > a re-issue of the certificate. > > The right way to approach this problem will be to issue unique keys and > certificates to individual instances of the system, this both satisfies the > BRs and (which is why) achieves the actual security goal of partitioning each > customer so that they can't MitM each other. > > It is a little surprising to me that (at least so far as I know) no > manufacturer has an arrangement with a CA to issue them large volumes of > per-device certificates in this way. I expect that Comodo (to name one which > definitely has business issuing very large volumes) would be able to > accommodate a deal to issue say, a million certificates per year with an > agreed suffix (say, .nowtv.cisco.com) for a fixed fee. The first time it's > attempted there would be some engineering work to be done in production and > software for the system, but nothing truly novel and that work is re-usable > for future products. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
