On Mon, Feb 26, 2018 at 2:23 PM, Jakob Bohm via dev-security-policy < [email protected]> wrote:
> On 26/02/2018 10:27, Kurt Roeckx wrote: > >> I just came across this: >> >> https://www.recordedfuture.com/code-signing-certificates/ >> >> I think the most important part of it is: "we confirmed with a high >> degree of certainty that the certificates are created for a specific buyer >> per request only and are registered using stolen corporate identities" >> >> > I believe the claims there require investigation by the named CAs > (Comodo and Digicert (Symantec) brands) and an appropriate incident > report regarding the claimed misissuances. > I do not believe there is sufficient evidence to justify this, and am hesitant to begin such investigations without more meaningful information. > These are (allegedly) genuine misissuances to entities other than > the identities named in the certificates, rather than technical > "misissuances" in violation of formal technical requirements. > There are also a number of technical inconsistencies within the report (rather than the primary material) that lead to such claims being reinterpreted and potentially incorrect. > While the Mozilla root store only cares about the EV SSL subset of > these misissuances, the EV codesign misissuances may involve failure > of procedures also used for Mozilla-trusted uses (SSL and S/MIME), > and thus should be included in incident reports. > I disagree with this as well. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
