On 14/11/2017 02:23, Kathleen Wilson wrote:
On 11/6/17 3:40 AM, Ben Laurie wrote:
Since CT is not (yet) compulsory, it seems you probably have to
contact all
CAs, doesn't it?
To close the loop on this...
I have added the following to the draft of the November 2017 CA
Communication.
~~
ACTION 8: Check for issuance of TLS/SSL certificates to .tg domains from
October 25 to November 2, 2017.
We believe that the .tg Registry was compromised from October 25 to
November 1, 2017, such that a perpetrator set the Name Server (NS)
Records for some domains to name servers controlled by them, and then
successfully obtained SSL certificates for those domains.
Please check the SSL certificates that were issued to .tg domains and
that chain up to your root certificates included in Mozilla's program to
ensure that the certificate subscriber actually owns the domains
included in their certificate.
Response Options:
- There are no TLS/SSL certificates issued to .tg domains that chain up
to our root certificates included in Mozilla's program.
- There are TLS/SSL certificates issued to .tg domains that chain up to
our root certificates included in Mozilla's program, but there were no
new validations on .tg domains from October 25 to November 2, 2017.
- There are TLS/SSL certificates issued to .tg domains that chain up to
our root certificates included in Mozilla's program, and we have
re-verified the certificates that were issued to .tg domains from
October 25 to November 2, 2017, and no problems were found.
- We have revoked certificates to .tg domains between October 25 and
November 2, 2017, and have sent information about these revoked
certificates to Mozilla.
Shouldn't there be an "issued" in there? (as phrased it seems to say
that the revocation, not the issuance, took place during the incident).
- Not Applicable, because our root certificates do not have the Websites
trust bit enabled.
Wouldn't the .tg incident be equally relevant for the e-mail trust bit?
(In which case the first 3 options should say TLS/SSL/e-mail)
- Other - explain
~~
Thanks,
Kathleen
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
