On Friday, January 12, 2018 at 9:38:42 PM UTC-6, jo...@letsencrypt.org wrote:
> On Thursday, January 11, 2018 at 4:29:09 PM UTC-6, jo...@letsencrypt.org
> wrote:
> > On Thursday, January 11, 2018 at 3:36:50 PM UTC-6, Ryan Sleevi wrote:
> > > On Wed, Jan 10, 2018 at 4:33 AM, josh--- via dev-securit
On Thursday, January 11, 2018 at 4:29:09 PM UTC-6, jo...@letsencrypt.org wrote:
> On Thursday, January 11, 2018 at 3:36:50 PM UTC-6, Ryan Sleevi wrote:
> > On Wed, Jan 10, 2018 at 4:33 AM, josh--- via dev-security-policy <
> > dev-security-policy@lists.mozilla.org> wrote:
> >
> > > At approximatel
On Fri, Jan 12, 2018 at 02:52:54PM +, Doug Beattie via dev-security-policy
wrote:
> I’d like to follow up on our investigation and provide the community with
> some more information about how we use Method 9.
>
> 1) Client requests a test certificate for a domain (only one FQDN)
Does t
On Fri, Jan 12, 2018 at 4:24 PM, Doug Beattie
wrote:
> Wayne,
>
>
>
> We didn’t really investigate wildcard issuance yet, but we can.
>
>
>
> Given the discuss so far, we’re planning to proceed with a whitelisting
> approach tomorrow and we will plan to end the use of Method 9 (schedule
> TBD) wh
On Wednesday, January 10, 2018 at 4:24:54 PM UTC-5, Tim Hollebeek wrote:
> As you know, BR 3.2.5 requires CAs to verify the authenticity of a request
> for an OV certificate through a Reliable Method of Communication (RMOC).
> Email can be a RMOC, but in these cases, the email address was a const
Wayne,
We didn’t really investigate wildcard issuance yet, but we can.
Given the discuss so far, we’re planning to proceed with a whitelisting
approach tomorrow and we will plan to end the use of Method 9 (schedule TBD)
which follows Let’s Encrypt handling of Method 10. If there are any additi
On Fri, Jan 12, 2018 at 11:21 AM, Doug Beattie
wrote:
>
>
> Normally a web hosting provider should not let you set SNI for a domain
> someone else is using, especially on that IP address. I think this is
> where method 9 deviates from method 10.
>
>
>
I agree, it seems somewhat less likely that
On Thursday, June 1, 2017 at 5:03:15 PM UTC-7, Kathleen Wilson wrote:
> On Friday, May 26, 2017 at 9:32:57 AM UTC-7, Kathleen Wilson wrote:
> > On Wednesday, March 15, 2017 at 5:01:13 PM UTC-7, Kathleen Wilson wrote:
> > All,
> >
> > I requested that this CA perform a BR Self Assessment, and they
Just FYI that two new public reports are now available via the
https://wiki.mozilla.org/CA/Included_CAs wiki page. One for Problem
Reporting Mechanisms, and one for CAA identifiers.
Here's the direct links to the new reports:
https://ccadb-public.secure.force.com/mozilla/ProblemReportingMechan
On 11/15/17 1:48 PM, Kathleen Wilson wrote:
All,
The following report lists data for all root and intermediate cert
records in the CCADB.
https://ccadb-public.secure.force.com/mozilla/AllCertificateRecordsCSVFormat
A link to this report is here:
http://ccadb.org/resources
Cheers,
Kathlee
Wayne and Gerv,
I’ll try to answer both of your questions here.
From: Wayne Thayer [mailto:wtha...@mozilla.com]
Sent: Friday, January 12, 2018 11:03 AM
To: Doug Beattie
Cc: r...@sleevi.com; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Possible Issue with Domain Validation Method 9
On 12/01/18 14:52, Doug Beattie wrote:
> For shared IP address environments, it may be possible to receive a
> certificate for a domain you don’t actually control, but a number of
> things need to happen in order for this to be successful. What can
> go wrong?
Doug: what do you see as the exact d
Doug,
I have some questions:
>
> c.The hosting company must allow you to manually create and upload
> a CSR for a site you don’t own
>
> Did you mean to say 'certificate' here instead of 'CSR'?
d. The user must be able to trick the hosting provider to enable SNI
> for this domain a
Hanno, thanks for reporting this to us earlier today.
Mozilla, please consider adding https://crt.sh/?id=245397620 to OneCRL.
Thanks.
On 12/01/18 15:33, Hanno Böck via dev-security-policy wrote:
Hi,
Comodo ITSM (IT Service Management Software) runs an HTTPS server on
localhost and port 21185
Hi,
Comodo ITSM (IT Service Management Software) runs an HTTPS server on
localhost and port 21185. The domain localhost.cmdm.comodo.net pointed
to localhost.
It is obvious that with this setup the private key is part of the
application and thus compromised. With advanced next generation key
extra
Ryan,
I’d like to follow up on our investigation and provide the community with some
more information about how we use Method 9.
We use a process that we refer to as OneClick to automate the domain validation
and issuance of certificates by issuing a test certificate to an FQDN and then
verify
When I wrote my previous reply, I had not yet received Let's encrypt's
post in which they announced they would not reenable TLS-SNI-01
globally. So this was written based on Let's encrypt only *temporarily*
disabling TLS-SNI-01 as stated in their original post and *allegedly*
(according to 3rd pa
17 matches
Mail list logo