There are over 300 publicly visible servers, according to Censys.IO.
From: Alex Gaynor [mailto:agay...@mozilla.com] Sent: Thursday, August 3, 2017 8:42 AM To: Ben Wilson <ben.wil...@digicert.com> Cc: Nick Lamb <tialara...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Certificate with invalid dnsName issued from Baltimore intermediate If I'm reading this correctly, these certificates are for internal services, not publicly accessible. Could they add their intermediate directly to these trust stores, allowing you to revoke it? Failing that, it sounds like OneCRL would be an appropriate remedy. Alex On Thu, Aug 3, 2017 at 10:38 AM, Ben Wilson via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> > wrote: Nick and Mozilla Community, Here is the response from Intesa Sanpaolo concerning the disruption that revocation will cause to their banking operations: Good Evening Ben, About the problem with the certificate you recently notified us, I confirm you that we have replaced the certificates today, so we have now revoked the wrong one. Concerning the CA revocation, first of all, I want to underline that for us it would be a major issue: we don't have enough time and resources to replace all the certificates before the end of the year and the revocation of the CA will cause us several critical operating problems with our infrastructural services. Moreover, I would like to inform you that in order to rationalize our infrastructure and create new synergy between our suppliers, we've planned to move our certificates to an Italian CA outsourcer. We have already started this activity and our intent is to complete the migration before the end of the year, to respect the contract we have settled, with deadline December, 31st 2017. Therefore I have to kindly recommend you not to revoke the CA, before the end of the contract, because it will cause several problems to the Bank and to our users (customers and colleagues). We are available to set up a call conference with you to discuss the matter. Looking forward to hear from you. Best regards, Riccardo D'Agostini -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+ben <mailto:dev-security-policy-bounces%2Bben> =digicert....@lists.mozilla.org <mailto:digicert....@lists.mozilla.org> ] On Behalf Of Ben Wilson via dev-security-policy Sent: Thursday, August 3, 2017 7:33 AM To: Nick Lamb <tialara...@gmail.com <mailto:tialara...@gmail.com> >; mozilla-dev-security-pol...@lists.mozilla.org <mailto:mozilla-dev-security-pol...@lists.mozilla.org> Subject: RE: Certificate with invalid dnsName issued from Baltimore intermediate That would be fine. Also, we have given Intesa Sanpaolo a scheduled revocation date of 15 August 2017, and I'm waiting to hear back. -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+ben <mailto:dev-security-policy-bounces%2Bben> =digicert....@lists.mozilla.org <mailto:digicert....@lists.mozilla.org> ] On Behalf Of Nick Lamb via dev-security-policy Sent: Wednesday, August 2, 2017 10:34 AM To: mozilla-dev-security-pol...@lists.mozilla.org <mailto:mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Certificate with invalid dnsName issued from Baltimore intermediate On Monday, 24 July 2017 17:34:03 UTC+1, Ben Wilson wrote: > Nick, > We are in discussions with Intesa Sanpaolo about implementing/pursuing > OneCRL or a similar approach (e.g. outright revocation of the CAs). > Thanks, > Ben Is there any progress on this? To be honest I was more meaning that Mozilla (Gerv?) should just add this subCA to OneCRL and be done with it. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
