Daniel Veditz wrote: > On 10/13/09 10:12 AM, Eddy Nigg wrote: >> #B is important because we are already month after the alleged bug >> happened, plenty of time to get the act together. I think this warrants >> some actions, a review and renewed confirmation of compliance might be a >> good thing to do in this case. > > These certs were revoked within days of the BlackHat talk.
Only because you and I separately reported the problem to them. > The leaked cert is an old cert, we are not talking about a CA clueless for > the past ten weeks. IPSCA mailed us on Aug 3 that they had identified and > revoked nine bogus certs and had stopped issuing any certs until they fixed > their process to detect these attempts. Yes, that is what their emails to you and me said. I believe the part about them adding 9 certs to their CRL, and them stopping the issuance of certs until they made some changes to their software that examines CSRs. But adding certs to the CRL doesn't fully satisfy the CA's revocation duty. The certs they had issued contained OCSP extensions. Those extensions constitute a written promise to all relying parties that, if the cert is revoked, information about that revocation will be available at the given OCSP URI until the expiration date of the certificate. And that part of the promise was not, and is not now being, kept. > From the domains involved we pretty much know who bought the certs, Moxie of > course, and two other speakers we know about on the hacker-conference > speaking circuit. > > What we didn't know is that any of those three were irresponsibly handing out > the private keys to the certs. I submit that knowledge of who the attacker was and what his intentions were do not excuse a CA for failure to fulfill its duties to the relying parties. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
