Acquisition policy (was: Francisco Partners acquires Comodo certificate authority business)

[westmail24--- via dev-security-policy]

Hello Peter, 

But what prevents Francisco Partners making security nightmare after the 
probationary period? This is logical, I think.

Regards,
Andrew
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: DigiCert ROCA fingerprint incident report

[Rob Stradling via dev-security-policy]

I see all 7 of the certs identified in this thread in crt.sh:

Serial number: 4a907fbfc90eb043c50c9c8ace6305a1
SAN->dNSName: [www.]asik-portal.com
https://crt.sh/?id=13734110

Serial number: 8008c178d0d4cd3d79acc09f6ac132c
SAN->dNSName: *.Thameswater.co.uk
https://crt.sh/?id=249452540

Serial number: 2dab9a2d40a2f55c5d705551cf7cafe5
SAN->dNSName: *.thameswater.co.uk
https://crt.sh/?id=249452542

Serial number: 306b67f5c25ee0fd495d2be88979eb72
SAN->dNSName: *.thameswater.co.uk
https://crt.sh/?id=249452543

Serial number: 7c7b826b183093ba1e5b9850ac31d806
SAN->dNSName: *.thameswater.co.uk
https://crt.sh/?id=249452544

Serial number: 4c834767e44ecbd0cdef8e60c04dcf32
SAN->dNSName: r02s06.nex.yahoo.com
https://crt.sh/?id=153622290

Serial number: a18e9
Domain name: [www.]vwiscada.com
https://crt.sh/?id=42223834

On 07/11/17 18:27, Jeremy Rowley via dev-security-policy wrote:

I believe so – I asked that they all be logged, but I’ll need to double check 
whether it got done.

  


From: Alex Gaynor [mailto:agay...@mozilla.com]
Sent: Tuesday, November 7, 2017 11:23 AM
To: Jeremy Rowley 
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: DigiCert ROCA fingerprint incident report

  


Hi Jeremy,

  


Have all these certificates been submitted to CT?

  


Thanks!

Alex

  


On Tue, Nov 7, 2017 at 1:20 PM, Jeremy Rowley via dev-security-policy 
 > wrote:

Hey everyone,



Here's the DigiCert incident report about the ROCA fingerprints. Note that
these were all issued by Symantec (ie, before the transaction closed).



We became aware of the issue when it was posted to the mailing list.
However, at that time, the certs were not operated by DigiCert. We became
aware that DigiCert needed to take action on close (Nov 1).  At that time,
the new combined team launched an investigation to determine the impacted
certs. Six certs were identified and revoked:




4a907fbfc90eb043c50c9c8ace6305a1


8008c178d0d4cd3d79acc09f6ac132c


2dab9a2d40a2f55c5d705551cf7cafe5


306b67f5c25ee0fd495d2be88979eb72


7c7b826b183093ba1e5b9850ac31d806


4c834767e44ecbd0cdef8e60c04dcf32



These certs were all revoked around Nov 3, within 24 hours of identifying
the impacted certs at DigiCert.



Jeremy


--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Third party use of OneCRL

[Niklas Bachmaier via dev-security-policy]

Hi Gerv,

thanks a lot! Currently we don't know yet if the download would be
centralized or per host as we are just figuring out the concept. I totally
see that large numbers of requests would be something we need to talk about
with you first.

Have a nice day
Niklas

2017-11-08 9:13 GMT+01:00 Gervase Markham :

> On 07/11/17 14:08, niklas.bachma...@googlemail.com wrote:
> > I'm working for a big managed security provider. We would like to
> > benefit from OneCRL as a means of improving our certificate
> > revocation checking.
>
> As in, you'd like to download one copy per day, or you'd like 100,000
> clients to download one copy per day?
>
> > I could download OneCRL at
> > https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/
> collections/certificates/records.
> > My question is if there is a license on OneCRL or if we are free to
> > use it?
>
> We have not put an explicit license on the data but certainly, in
> keeping with Mozilla's principles of openness and sharing, it is
> available for all to use. However, that doesn't mean our IT team might
> not take action against clients making abusively large numbers of
> requests. So if your usage of the list might get noticed, it would be
> wise to talk to us first.
>
> > Further I'm wondering if Mozilla has already thought about
> > third party users and provides another way of getting the most recent
> > version of OneCRL than getting the above mentioned website and
> > comparing if the content has changed?
>
> What other method might you have in mind that would be better than a
> computer-readable highly-available web service? I suspect if you send it
> an If-Modified-Since or other similar headers you might also get a Not
> Modified response rather than another copy of the data. But look at the
> code for Kinto or ask the people who wrote it.
>
> Gerv
>
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Third party use of OneCRL

[Gervase Markham via dev-security-policy]

On 07/11/17 14:08, niklas.bachma...@googlemail.com wrote:
> I'm working for a big managed security provider. We would like to
> benefit from OneCRL as a means of improving our certificate
> revocation checking.

As in, you'd like to download one copy per day, or you'd like 100,000
clients to download one copy per day?

> I could download OneCRL at
> https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/certificates/records.
> My question is if there is a license on OneCRL or if we are free to
> use it?

We have not put an explicit license on the data but certainly, in
keeping with Mozilla's principles of openness and sharing, it is
available for all to use. However, that doesn't mean our IT team might
not take action against clients making abusively large numbers of
requests. So if your usage of the list might get noticed, it would be
wise to talk to us first.

> Further I'm wondering if Mozilla has already thought about
> third party users and provides another way of getting the most recent
> version of OneCRL than getting the above mentioned website and
> comparing if the content has changed?

What other method might you have in mind that would be better than a
computer-readable highly-available web service? I suspect if you send it
an If-Modified-Since or other similar headers you might also get a Not
Modified response rather than another copy of the data. But look at the
code for Kinto or ask the people who wrote it.

Gerv

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy