Here's the article we published on this subject a while ago: https://www.digicert.com/blog/keeping-subscribers-safe-partner-best-practices/
-Tim > -----Original Message----- > From: dev-security-policy <[email protected]> > On Behalf Of Jeremy Rowley via dev-security-policy > Sent: Thursday, January 10, 2019 4:47 PM > To: Wayne Thayer <[email protected]> > Cc: Alex Cohn <[email protected]>; Alex Gaynor <[email protected]>; > [email protected]; Buschart, Rufus > <[email protected]>; Hanno Böck <[email protected]> > Subject: RE: AlwaysOnSSL web security issues > > Yes – we will do so. We’ve encouraged all customers to not generate key > pairs for TLS certs on behalf of third parties in the past. A reminder would > be > useful. > > From: Wayne Thayer <[email protected]> > Sent: Thursday, January 10, 2019 1:18 PM > To: Jeremy Rowley <[email protected]> > Cc: Alex Gaynor <[email protected]>; Buschart, Rufus > <[email protected]>; Alex Cohn <[email protected]>; Hanno > Böck <[email protected]>; [email protected] > Subject: Re: AlwaysOnSSL web security issues > > Thanks Jeremy. The fact that CertCenter is just a reseller and not an RA was > not obvious to me. To your point, building an insecure website on top of a > CA's API does not strike me as something that we should be terribly worried > about. > > I would encourage DigiCert to ask CertCenter to discontinue the practice of > generating private keys for their customers. > > - Wayne > > On Thu, Jan 10, 2019 at 11:00 AM Jeremy Rowley via dev-security-policy > <[email protected]<mailto:dev-security- > [email protected]>> wrote: > A couple of thoughts: > 1) CertCenter is not a CA or RA. They have a custom named ICA that is hosted > and operated by DigiCert. All validation, issuance, and linting is performed > by > DigiCert prior to issuance. > 2) Lots of cert customers have insecure websites. This indicates CAs should > scan websites for vulnerabilities. If that's the case, there will be lots of > revocations and that needs to be built into the Mozilla policy if required. > 3) The only way we know that CertCenter is a reseller is by > self-identification. > They use the same issuance and validation system as all other customers. If > they didn't self-identify as a reseller, they could do the same thing and look > like an enterprise. > 4) I think they took their website down once the vulnerability was reported. > We've asked them to fix the site because it's high profile. However, if the > customer was something like Mozilla or Google, would we demand > revocation of their certificates? Granted, they wouldn't have the same > vulnerabilities, but I'm having a hard time differentiating from the CA > perspective. > 5) Generating private keys for third parties is definitely NOT encouraged by > DigiCert. > > Anyway, I'm not sure what do here as it seems like the main difference > between this and any other insecure website is how they self-identify. > > Jeremy > > -----Original Message----- > From: dev-security-policy <dev-security-policy- > [email protected]<mailto:dev-security-policy- > [email protected]>> On Behalf Of Alex Gaynor via dev-security- > policy > Sent: Thursday, January 10, 2019 7:10 AM > To: Buschart, Rufus > <[email protected]<mailto:[email protected]>> > Cc: Alex Cohn <[email protected]<mailto:[email protected]>>; mozilla- > [email protected]<mailto:mozilla-dev-security- > [email protected]>; Hanno Böck > <[email protected]<mailto:[email protected]>> > Subject: Re: AlwaysOnSSL web security issues > > The Mozilla policy does not prohibit backdating, except when it's used to > evade time-based policy controls. > > Backdating certs by a few hours is a relatively common practice to minimize > breakages for consumers with busted clocks. > > Alex > > On Thu, Jan 10, 2019 at 4:43 AM Buschart, Rufus via dev-security-policy < > [email protected]<mailto:dev-security- > [email protected]>> wrote: > > > The certificate [1] seems also to be 'back-dated' by about 18 hours. > > What is Mozillas opinion about this in the light of > > https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Backdat > > ing_the_notBefore_Date > > ? > > > > > It appears AlwaysOnSSL is not completely disabled - if we trust CT > > > as a > > timestamping service, [1] was issued after Hanno's email. > > [...] > > > [1] https://crt.sh/?id=1097197338 > > [...] > > > On Wed, Jan 9, 2019 at 8:59 AM Hanno Böck via dev-security-policy < > > [email protected]<mailto:dev-security- > [email protected]>> wrote: > > > > > > > > Hi, > > > > > > > > AlwaysOnSSL was a free certificate authority operated by CertCenter. > > > > I recently noticed that their main webpage was gone, but pieces of > > > > the service were still online. > > > > I immediately found a few web security issues. I reported those to > > > > certcenter and digicert (which is the root CA their intermediate > > > > chains to). > > [...] > > > > In response to this the service was completely disabled. > > [...] > > _______________________________________________ > > dev-security-policy mailing list > > [email protected]<mailto:dev-security-policy@lists > > .mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy > > > _______________________________________________ > dev-security-policy mailing list > [email protected]<mailto:dev-security- > [email protected]> > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ > dev-security-policy mailing list > [email protected]<mailto:dev-security- > [email protected]> > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
