They are working on the issue and preparing a report.  

 

From: Eric Mill [mailto:e...@konklone.com] 
Sent: Saturday, August 12, 2017 9:03 PM
To: Ben Wilson <ben.wil...@digicert.com>
Cc: Alex Gaynor <agay...@mozilla.com>; Jonathan Rudenberg 
<jonat...@titanous.com>; mozilla-dev-security-pol...@lists.mozilla.org; Jeremy 
Rowley <jeremy.row...@digicert.com>
Subject: Re: Certificates with less than 64 bits of entropy

 

If they're not going to revoke within 24 hours and willingly violate that part 
of the policy, I would at least expect them to, within that 24 hours, produce a 
description of why this happened, what they're doing to fix it, and when they 
expect the certificates to be replaced (along with an expectation of when a 
hard revocation deadline would be regardless of customer responsiveness). Once 
the underlying issue is fixed, I would expect them to ring in to say that it's 
fixed and what they did to fix it. 

 

That's just basic good-faith engagement that demonstrates that the issuing CA 
at least takes the issue as seriously as the community does, and engenders 
trust that the issue is being addressed.

 

Let's Encrypt just responded this week to an encoding compliance failure with a 
live production code fix (including code review and sign off) within 6 hours of 
being notified. 

 

While not every issuing CA may take security seriously enough to employ 
engineers on staff who can research, author and deploy a production code fix in 
a 24 hour period, every issuing CA should be able to muster the strength to 
keep the community informed of their plans and progress in however long it 
takes to address the issue.

 

-- Eric

 

On Fri, Aug 11, 2017 at 10:33 AM, Ben Wilson via dev-security-policy 
<dev-security-policy@lists.mozilla.org 
<mailto:dev-security-policy@lists.mozilla.org> > wrote:

Apparently they haven’t yet, but we’ll assume that they will.

Does the community expect a remediation plan for their code and then a 
revocation-and-replacement plan?



Ben Wilson, JD, CISA, CISSP

VP Compliance

+1 801 701 9678 <tel:%2B1%20801%20701%209678> 





From: Alex Gaynor [mailto:agay...@mozilla.com <mailto:agay...@mozilla.com> ]
Sent: Friday, August 11, 2017 8:31 AM
To: Ben Wilson <ben.wil...@digicert.com <mailto:ben.wil...@digicert.com> >
Cc: Jeremy Rowley <jeremy.row...@digicert.com 
<mailto:jeremy.row...@digicert.com> >; Jonathan Rudenberg 
<jonat...@titanous.com <mailto:jonat...@titanous.com> >; 
mozilla-dev-security-pol...@lists.mozilla.org 
<mailto:mozilla-dev-security-pol...@lists.mozilla.org> 
Subject: Re: Certificates with less than 64 bits of entropy



Have they fixed whatever issue there is with their PKI infrastructure that 
leads to this issue? From skimming, I see this pool contains certs issued as 
recently as one month ago.



Alex



On Fri, Aug 11, 2017 at 10:26 AM, Ben Wilson via dev-security-policy 
<dev-security-policy@lists.mozilla.org 
<mailto:dev-security-policy@lists.mozilla.org>  
<mailto:dev-security-policy@lists.mozilla.org 
<mailto:dev-security-policy@lists.mozilla.org> > > wrote:

With regard to Siemens, given the large number of certificates and the 
disruption that massive revocations will have on their infrastructure, what 
does this community expect them to do?


-----Original Message-----
From: dev-security-policy [mailto:dev-security-policy-bounces+ben 
<mailto:dev-security-policy-bounces%2Bben>  
<mailto:dev-security-policy-bounces%2Bben 
<mailto:dev-security-policy-bounces%252Bben> > =digicert....@lists.mozilla.org 
<mailto:digicert....@lists.mozilla.org>  <mailto:digicert....@lists.mozilla.org 
<mailto:digicert....@lists.mozilla.org> > ] On Behalf Of Jeremy Rowley via 
dev-security-policy
Sent: Thursday, August 10, 2017 12:01 PM
To: Jonathan Rudenberg <jonat...@titanous.com <mailto:jonat...@titanous.com>  
<mailto:jonat...@titanous.com <mailto:jonat...@titanous.com> > >; 
mozilla-dev-security-pol...@lists.mozilla.org 
<mailto:mozilla-dev-security-pol...@lists.mozilla.org>  
<mailto:mozilla-dev-security-pol...@lists.mozilla.org 
<mailto:mozilla-dev-security-pol...@lists.mozilla.org> >
Subject: RE: Certificates with less than 64 bits of entropy

Hi Jonathan,

InfoCert's sub CA was revoked on August 1, 2017. We'll reach out to Siemens. 
They moved to Quovadis a while ago and are no longer issuing from that Sub CA.

Jeremy

-----Original Message-----
From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley 
<mailto:dev-security-policy-bounces%2Bjeremy.rowley>  
<mailto:dev-security-policy-bounces%2Bjeremy.rowley 
<mailto:dev-security-policy-bounces%252Bjeremy.rowley> > 
=digicert....@lists.mozilla.org <mailto:digicert....@lists.mozilla.org>  
<mailto:digicert....@lists.mozilla.org <mailto:digicert....@lists.mozilla.org> 
> ] On Behalf Of Jonathan Rudenberg via dev-security-policy
Sent: Thursday, August 10, 2017 9:26 AM
To: mozilla-dev-security-pol...@lists.mozilla.org 
<mailto:mozilla-dev-security-pol...@lists.mozilla.org>  
<mailto:mozilla-dev-security-pol...@lists.mozilla.org 
<mailto:mozilla-dev-security-pol...@lists.mozilla.org> >
Subject: Re: Certificates with less than 64 bits of entropy


> On Aug 10, 2017, at 11:20, Jonathan Rudenberg via dev-security-policy 
> <dev-security-policy@lists.mozilla.org 
> <mailto:dev-security-policy@lists.mozilla.org>  
> <mailto:dev-security-policy@lists.mozilla.org 
> <mailto:dev-security-policy@lists.mozilla.org> > > wrote:
>
> QuoVadis (560)
>    Siemens Issuing CA Internet Server 2016 (560)
>
> D-TRUST (224)
>    D-TRUST SSL Class 3 CA 1 2009 (178)
>    D-TRUST SSL Class 3 CA 1 EV 2009 (45)
>    D-TRUST Root Class 3 CA 2 EV 2009 (1)
>
> DigiCert (85)
>    Siemens Issuing CA Class Internet Server 2013 (82)
>    InfoCert Web Certification Authority (3)
>
> Izenpe S.A. (62)
>    EAEko Herri Administrazioen CA - CA AAPP Vascas (2) (62)
>
> Government of The Netherlands, PKIoverheid (Logius) (55)
>    Digidentity Services CA - G2 (55)
>
> Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) (38)
>    Cihaz Sertifikası Hizmet Sağlayıcı - Sürüm 4 (38)

It looks like my summary missed one QuoVadis intermediate:

Bayerische SSL-CA-2016-01 (3)

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org 
<mailto:dev-security-policy@lists.mozilla.org>  
<mailto:dev-security-policy@lists.mozilla.org 
<mailto:dev-security-policy@lists.mozilla.org> >
https://lists.mozilla.org/listinfo/dev-security-policy


_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org 
<mailto:dev-security-policy@lists.mozilla.org>  
<mailto:dev-security-policy@lists.mozilla.org 
<mailto:dev-security-policy@lists.mozilla.org> >
https://lists.mozilla.org/listinfo/dev-security-policy




_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org 
<mailto:dev-security-policy@lists.mozilla.org> 
https://lists.mozilla.org/listinfo/dev-security-policy





 

-- 

konklone.com <https://konklone.com>  | @konklone <https://twitter.com/konklone> 

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to