; Matthew Hardeman <mharde...@gmail.com>;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: StartCom issuing bogus certificates
Hi Inigo,
You mentioned there would be a report attached but I believe you forgot to send
it?
Can you upload the report and provide a URL?
dev-security-policy-bounces+inigo=startcomca@lists.mozilla.org
> ]
> On Behalf Of Gervase Markham via dev-security-policy
> Sent: jueves, 1 de junio de 2017 10:27
> To: Yuhong Bao <yuhongbao_...@hotmail.com>; Eric Mill <e...@konklone.com>;
> Jeremy Rowley <jeremy.
.@roeckx.be>; Matthew Hardeman <mharde...@gmail.com>
Subject: Re: StartCom issuing bogus certificates
On 01/06/17 01:48, Yuhong Bao wrote:
> I don't think there is anything important on example.com though
How would you like it if a CA decided there was nothing important on
On 01/06/17 01:48, Yuhong Bao wrote:
> I don't think there is anything important on example.com though
How would you like it if a CA decided there was nothing important on
your website and so decided it was OK to misissue certificates for it?
This requirement is a positive requirement ("must
ll <e...@konklone.com>
> Sent: Wednesday, May 31, 2017 4:34:20 PM
> To: Jeremy Rowley
> Cc: Kurt Roeckx; Yuhong Bao; mozilla-dev-security-pol...@lists.mozilla.org;
> Matthew Hardeman
> Subject: Re: StartCom issuing bogus certificates
>
> It's absolutely not harmless to us
rdeman
Subject: Re: StartCom issuing bogus certificates
It's absolutely not harmless to use example.com<http://example.com> to test
certificate issuance. People visit example.com<http://example.com> all the
time, given its role. An unauthorized certificate for
example.com<http://e
ces+jeremy.rowley=digicert.c
> om@lists.mozilla
> .org] On Behalf Of Kurt Roeckx via dev-security-policy
> Sent: Wednesday, May 31, 2017 11:55 AM
> To: Yuhong Bao <yuhongbao_...@hotmail.com>
> Cc: mozilla-dev-security-pol...@lists.mozilla.org; Matthew Hardeman
> <mharde...@gmail.com>
+jeremy.rowley=digicert.com@lists.mozilla
.org] On Behalf Of Kurt Roeckx via dev-security-policy
Sent: Wednesday, May 31, 2017 11:55 AM
To: Yuhong Bao <yuhongbao_...@hotmail.com>
Cc: mozilla-dev-security-pol...@lists.mozilla.org; Matthew Hardeman
<mharde...@gmail.com>
Subject: Re: Star
On Wed, May 31, 2017 at 05:09:57PM +, Yuhong Bao via dev-security-policy
wrote:
> The point is that "misissuance" of example.com is harmless as they are
> reserved by IANA.
But example.com is a real domain that that even has an https
website. The certificate is issued by digicert, and the
ew Hardeman via
> dev-security-policy <dev-security-policy@lists.mozilla.org>
> Sent: Wednesday, May 31, 2017 10:08:10 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: StartCom issuing bogus certificates
>
> On Wednesday, May 31, 2017 at 12:04:51 PM UTC-5
On Wednesday, May 31, 2017 at 12:10:36 PM UTC-5, Yuhong Bao wrote:
> The point is that "misissuance" of example.com is harmless as they are
> reserved by IANA.
Except that having a trusted root CA in the major root programs is a privileged
club with a lot of non-obvious rules. One of those
ity-policy
<dev-security-policy@lists.mozilla.org>
Sent: Wednesday, May 31, 2017 10:08:10 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: StartCom issuing bogus certificates
On Wednesday, May 31, 2017 at 12:04:51 PM UTC-5, Yuhong Bao wrote:
> It would be better to use exa
rreira via dev-security-policy
<dev-security-policy@lists.mozilla.org>
Sent: Wednesday, May 31, 2017 9:21:00 AM
To: patryk.szczyglow...@gmail.com; mozilla-dev-security-pol...@lists.mozilla.org
Subject: RE: StartCom issuing bogus certificates
Hi all,
There´s been a misunderstanding int
Wow.
That is disheartening. Those are issued from their newly cut intermediates
issued descending from their G3 root, which I had assumed was the
infrastructure that they intend to get audited for inclusion into the various
root programs again.
It would seem an issuance like that on that
Hi all,
There´s been a misunderstanding internally when requested to create some "test"
certificates as indicated in the Microsoft root program requirements as stated
in 4b "Test URLs for each root, or a URL of a publicly accessible server that
Microsoft can use to verify the certificates."
15 matches
Mail list logo