Here's the article we published on this subject a while ago: https://www.digicert.com/blog/keeping-subscribers-safe-partner-best-practices/
-Tim > -----Original Message----- > From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> > On Behalf Of Jeremy Rowley via dev-security-policy > Sent: Thursday, January 10, 2019 4:47 PM > To: Wayne Thayer <wtha...@mozilla.com> > Cc: Alex Cohn <a...@alexcohn.com>; Alex Gaynor <agay...@mozilla.com>; > mozilla-dev-security-pol...@lists.mozilla.org; Buschart, Rufus > <rufus.busch...@siemens.com>; Hanno Böck <ha...@hboeck.de> > Subject: RE: AlwaysOnSSL web security issues > > Yes – we will do so. We’ve encouraged all customers to not generate key > pairs for TLS certs on behalf of third parties in the past. A reminder would > be > useful. > > From: Wayne Thayer <wtha...@mozilla.com> > Sent: Thursday, January 10, 2019 1:18 PM > To: Jeremy Rowley <jeremy.row...@digicert.com> > Cc: Alex Gaynor <agay...@mozilla.com>; Buschart, Rufus > <rufus.busch...@siemens.com>; Alex Cohn <a...@alexcohn.com>; Hanno > Böck <ha...@hboeck.de>; mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: AlwaysOnSSL web security issues > > Thanks Jeremy. The fact that CertCenter is just a reseller and not an RA was > not obvious to me. To your point, building an insecure website on top of a > CA's API does not strike me as something that we should be terribly worried > about. > > I would encourage DigiCert to ask CertCenter to discontinue the practice of > generating private keys for their customers. > > - Wayne > > On Thu, Jan 10, 2019 at 11:00 AM Jeremy Rowley via dev-security-policy > <dev-security-policy@lists.mozilla.org<mailto:dev-security- > pol...@lists.mozilla.org>> wrote: > A couple of thoughts: > 1) CertCenter is not a CA or RA. They have a custom named ICA that is hosted > and operated by DigiCert. All validation, issuance, and linting is performed > by > DigiCert prior to issuance. > 2) Lots of cert customers have insecure websites. This indicates CAs should > scan websites for vulnerabilities. If that's the case, there will be lots of > revocations and that needs to be built into the Mozilla policy if required. > 3) The only way we know that CertCenter is a reseller is by > self-identification. > They use the same issuance and validation system as all other customers. If > they didn't self-identify as a reseller, they could do the same thing and look > like an enterprise. > 4) I think they took their website down once the vulnerability was reported. > We've asked them to fix the site because it's high profile. However, if the > customer was something like Mozilla or Google, would we demand > revocation of their certificates? Granted, they wouldn't have the same > vulnerabilities, but I'm having a hard time differentiating from the CA > perspective. > 5) Generating private keys for third parties is definitely NOT encouraged by > DigiCert. > > Anyway, I'm not sure what do here as it seems like the main difference > between this and any other insecure website is how they self-identify. > > Jeremy > > -----Original Message----- > From: dev-security-policy <dev-security-policy- > boun...@lists.mozilla.org<mailto:dev-security-policy- > boun...@lists.mozilla.org>> On Behalf Of Alex Gaynor via dev-security- > policy > Sent: Thursday, January 10, 2019 7:10 AM > To: Buschart, Rufus > <rufus.busch...@siemens.com<mailto:rufus.busch...@siemens.com>> > Cc: Alex Cohn <a...@alexcohn.com<mailto:a...@alexcohn.com>>; mozilla- > dev-security-policy@lists.mozilla.org<mailto:mozilla-dev-security- > pol...@lists.mozilla.org>; Hanno Böck > <ha...@hboeck.de<mailto:ha...@hboeck.de>> > Subject: Re: AlwaysOnSSL web security issues > > The Mozilla policy does not prohibit backdating, except when it's used to > evade time-based policy controls. > > Backdating certs by a few hours is a relatively common practice to minimize > breakages for consumers with busted clocks. > > Alex > > On Thu, Jan 10, 2019 at 4:43 AM Buschart, Rufus via dev-security-policy < > dev-security-policy@lists.mozilla.org<mailto:dev-security- > pol...@lists.mozilla.org>> wrote: > > > The certificate [1] seems also to be 'back-dated' by about 18 hours. > > What is Mozillas opinion about this in the light of > > https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Backdat > > ing_the_notBefore_Date > > ? > > > > > It appears AlwaysOnSSL is not completely disabled - if we trust CT > > > as a > > timestamping service, [1] was issued after Hanno's email. > > [...] > > > [1] https://crt.sh/?id=1097197338 > > [...] > > > On Wed, Jan 9, 2019 at 8:59 AM Hanno Böck via dev-security-policy < > > dev-security-policy@lists.mozilla.org<mailto:dev-security- > pol...@lists.mozilla.org>> wrote: > > > > > > > > Hi, > > > > > > > > AlwaysOnSSL was a free certificate authority operated by CertCenter. > > > > I recently noticed that their main webpage was gone, but pieces of > > > > the service were still online. > > > > I immediately found a few web security issues. I reported those to > > > > certcenter and digicert (which is the root CA their intermediate > > > > chains to). > > [...] > > > > In response to this the service was completely disabled. > > [...] > > _______________________________________________ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists > > .mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org<mailto:dev-security- > pol...@lists.mozilla.org> > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org<mailto:dev-security- > pol...@lists.mozilla.org> > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy