It was just the one system and situation-specific. -----Original Message----- From: dev-security-policy <[email protected]> On Behalf Of Peter Gutmann via dev-security-policy Sent: Monday, May 18, 2020 6:31 AM To: Matt Palmer <[email protected]>; Mozilla <[email protected]>; Jeremy Rowley <[email protected]> Subject: Re: Digicert issued certificate with let's encrypts public key
Jeremy Rowley via dev-security-policy <[email protected]> writes: >For those interested, the short of what happened is that we had an old >service where you could replace existing certificates by having >DigiCert connect to a site and replace the certificate with a key taken >from the site after a TLS connection. No requirement for a CSR since we >obtained proof of key control through a TLS connection with the >website. Turned out the handshake didn't actually take the key, but >allowed the customer to submit a different public key without a CSR. We >took down the service a while ago - back in November I think. I plan to >put it back up when we work out the kink with it not forcing the key to match >the key used in the handshake. Thanks, that was the info I was after: was this a general problem that we need to check other systems for as well, or a situation-specific issue that affected just one site/system but no others. Looks like other systems are unaffected. Peter. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
