I contacted CPA Canada in early 2017 about XSS and some other issues on
cert.webtrust.org.
They did not fix the issues but stated:
> CPA Canada is currently working on upgrading the WebTrust site to
> enhance the security.
As of April 2018 the issues were still unfixed. I wonder if the limited
I don't think I'm giving away any big secret by revealing that the seal
website is just doing an http_referer check. If you are blocked when trying
to access an audit report on cert.webtrust.org, just set the referer to the
CA's domain name and refresh. You can do this with any number of Firefox
Thanks for the update, Kathleen.
This is truly unfortunate, and unquestionably does harm to the value and
brand of the WebTrust Seal, rather than provide value.
On Thu, Aug 9, 2018 at 7:19 PM, Kathleen Wilson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> All,
>
> In
All,
In their effort to better protect WebTrust seals, CPA Canada has made it
so we can no longer access WebTrust pdf files directly from the CCADB.
I received the following response when inquiring about this.
“”
Thank you for contacting Chartered Professional Accountants of Canada.
You can
Hi Hanno,
The certificate has been revoked.
We're in the process of migrating our email addresses to all be on comodoca.com
and the emails for ssl_abuse@ got directed away from the monitored queue we
have in place for it. We didn't notice it straight away because there are some
other
Also, I'd like to encourage other CAs to comply with Issue 98 pro-actively,
even if it is not required. We're already in compliance.
-Tim
> -Original Message-
> From: dev-security-policy On
> Behalf Of Tim Hollebeek via dev-security-policy
> Sent: Thursday, August 9, 2018 10:26 AM
>
Yup, it was Mozilla policy that I was thinking of. Thanks.
I’m sad it didn’t make it into official Mozilla policy, as I thought it was a
pretty reasonable and non-controversial requirement. I’d support putting it in
the BRs.
-Tim
From: Ryan Sleevi
Sent: Thursday, August 9, 2018
+Adding Robin Alden and Richard Smith
-Original Message-
From: Hanno Böck
Sent: Thursday, August 09, 2018 10:51 AM
To: Jay Wilson via dev-security-policy
Cc: Jay Wilson ; Alex Cohn ;
ssl_ab...@comodo.com; mozilla-dev-security-pol...@lists.mozilla.org;
summern1...@gmail.com
Subject:
On Thu, 9 Aug 2018 13:24:48 +
Jay Wilson via dev-security-policy
wrote:
> The certificate has been revoked.
> The bounce issue has been escalated to resolve.
Really?
$ ocspverify 630835231.crt
Response verify OK
630835231.crt: good
This Update: Aug 4 15:34:50 2018 GMT
The proposed "Revocation Timeline Extension" ballot (formerly #213, soon to
become #SC6) [1] includes the following:
The CA SHALL provide Subscribers, Relying Parties, Application Software
Suppliers, and other third parties with clear instructions for reporting
suspected Private Key Compromise,
+Adding Robin Alden and Richard Smith
From: Ryan Sleevi
Sent: Thursday, August 09, 2018 8:15 AM
To: Tim Hollebeek
Cc: Alex Cohn ; ha...@hboeck.de;
mozilla-dev-security-pol...@lists.mozilla.org; #SSL_ABUSE
; summern1...@gmail.com
Subject: Re: localhost.megasyncloopback.mega.nz private key in
The certificate has been revoked.
The bounce issue has been escalated to resolve.
Regards,
From: Alex Cohn
Sent: Wednesday, August 08, 2018 5:01 PM
To: ha...@hboeck.de
Cc: summern1...@gmail.com; mozilla-dev-security-pol...@lists.mozilla.org;
#SSL_ABUSE
Subject: Re:
On Thu, Aug 9, 2018 at 8:24 AM, Nick Lamb via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Fri, 20 Jul 2018 21:38:45 -0700
> Peter Bowen via dev-security-policy
> wrote:
>
> > https://crt.sh/?id=294808610=zlint,cablint is one of the
> > certificates. It is not clear
Unfortunately, that's not correct. The CA/Browser Forum has passed no such
resolution, as can be seen at https://cabforum.org/ballots/ .
I believe you're confusing this with the discussion from
https://github.com/mozilla/pkipolicy/issues/98, which highlighted that the
BRs 4.9.3 requires clear
On Fri, 20 Jul 2018 21:38:45 -0700
Peter Bowen via dev-security-policy
wrote:
> https://crt.sh/?id=294808610=zlint,cablint is one of the
> certificates. It is not clear to me that there is an error here.
> The DNS names in the SAN are correctly encoded and the Common Name in
> the subject has
IIRC we recently passed a CABF ballot that the CPS must contain instructions
for submitting problem reports in a specific section of its CPS, in an attempt
to solve problems like this. This winter or early spring, if my memory is
correct.
-Tim
> -Original Message-
> From:
16 matches
Mail list logo