More info (that was sent to me a while ago, I just missed the report): There we actually seven. I missed this one: Serial: "a18e9"
We installed a patch to stop accepting ROCA keys for TLS certs on 2017-10-26. A patch for code signing and email certs is coming shortly. Once that patch is installed, we will repeat our scans for any additional vulnerable certificates that were issued in the interim. -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Jeremy Rowley via dev-security-policy Sent: Tuesday, November 7, 2017 11:40 AM To: Kurt Roeckx <[email protected]> Cc: [email protected] Subject: RE: DigiCert ROCA fingerprint incident report Yeah - still trying to get that info. I'll update this list right when I know what's been done. I'm not 100% sure at this point, but I wanted to post early and update than wait until I know everything. Sorry - should have specified that in the original email. -----Original Message----- From: Kurt Roeckx [mailto:[email protected]] Sent: Tuesday, November 7, 2017 11:38 AM To: Jeremy Rowley <[email protected]> Cc: [email protected] Subject: Re: DigiCert ROCA fingerprint incident report Hi, What I miss is what has been done to prevent new ones from being issued. Kurt On Tue, Nov 07, 2017 at 06:20:53PM +0000, Jeremy Rowley via dev-security-policy wrote: > Hey everyone, > > > > Here's the DigiCert incident report about the ROCA fingerprints. Note > that these were all issued by Symantec (ie, before the transaction closed). > > > > We became aware of the issue when it was posted to the mailing list. > However, at that time, the certs were not operated by DigiCert. We > became aware that DigiCert needed to take action on close (Nov 1). At > that time, the new combined team launched an investigation to > determine the impacted certs. Six certs were identified and revoked: > > > > > 4a907fbfc90eb043c50c9c8ace6305a1 > > > 8008c178d0d4cd3d79acc09f6ac132c > > > 2dab9a2d40a2f55c5d705551cf7cafe5 > > > 306b67f5c25ee0fd495d2be88979eb72 > > > 7c7b826b183093ba1e5b9850ac31d806 > > > 4c834767e44ecbd0cdef8e60c04dcf32 > > > > These certs were all revoked around Nov 3, within 24 hours of > identifying the impacted certs at DigiCert. > > > > Jeremy > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://clicktime.symantec.com/a/1/ac3GKpOQNNTUgvdrINCg5TSocQpoIoCYQJm > i6wdzR6s=?d=x6aCRo4VfXwciHJ72iOM_J1K3cmxLlV0aGOHiskoYAX0y17Wq9rBdSq-bg > 4GrKAujQl5VZlxkGBYh01ZXYr8EygG-dNtE90f1YxT_GtuW58TCPLm7Mzjb03dlIVjjY5- > Rjwup4G6ykol-8HJAhLROxtb1Gda2q-q68_5E0-B8lD0Vce3ByqdfnbDVs8EMtgtnbEqDO > 6mDPSrslcUjJVelIOpVaxXMdNiBwpMKzmrMdj_V1r1S7QZYgVhUMqQIdLCSpsF3J_80G4P > 0pGEj80fNBSwYUExVrYXgahNhnXwZBZ2uStpa7rDf1Za_6AmZUyOBJKYnpBkOQOvL_7APz > 7ZWMYjlryr5kvZwlfwT2ceDE2ZfuZyVEaDmygE8KnF&u=https%3A%2F%2Flists.mozil > la.org%2Flistinfo%2Fdev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
