On 10/14/2009 02:16 AM, Daniel Veditz:
On 10/13/09 10:12 AM, Eddy Nigg wrote:
#B is important because we are already month after the alleged bug
happened, plenty of time to get the act together. I think this warrants
some actions, a review and renewed confirmation of compliance might be a
good thing to do in this case.
These certs were revoked within days of the BlackHat talk. The leaked
cert is an old cert, we are not talking about a CA clueless for the
past ten weeks. IPSCA mailed us on Aug 3 that they had identified and
revoked nine bogus certs and had stopped issuing any certs until they
fixed their process to detect these attempts. From the domains
involved we pretty much know who bought the certs, Moxie of course,
and two other speakers we know about on the hacker-conference speaking
circuit.
What we didn't know is that any of those three were irresponsibly
handing out the private keys to the certs.
So? I mean we are lucky that they gave us two month ahead warning before
actually doing so (we can question the wisdom that they decided to
release those keys, but they are grey or black hats, not white hats).
That's plenty of time to fix the software and get the revocation
mechanism's working. Mozilla IS aware that Firefox doesn't support CRLDP
and Mozilla MUST have been also aware which CA was affected (some here
knew). The CA also MUST have been aware that their OCSP responder DOES
NOT WORK, it should have invested its resources in fixing that with the
HIGHEST PRIORITY. Certainly into this more than two month with no
resolution in sight borders on (gross) negligence.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: [email protected]
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
