Acquisition policy (was: Francisco Partners acquires Comodo certificate authority business)
Hello Peter, But what prevents Francisco Partners making security nightmare after the probationary period? This is logical, I think. Regards, Andrew ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: DigiCert ROCA fingerprint incident report
I see all 7 of the certs identified in this thread in crt.sh: Serial number: 4a907fbfc90eb043c50c9c8ace6305a1 SAN->dNSName: [www.]asik-portal.com https://crt.sh/?id=13734110 Serial number: 8008c178d0d4cd3d79acc09f6ac132c SAN->dNSName: *.Thameswater.co.uk https://crt.sh/?id=249452540 Serial number: 2dab9a2d40a2f55c5d705551cf7cafe5 SAN->dNSName: *.thameswater.co.uk https://crt.sh/?id=249452542 Serial number: 306b67f5c25ee0fd495d2be88979eb72 SAN->dNSName: *.thameswater.co.uk https://crt.sh/?id=249452543 Serial number: 7c7b826b183093ba1e5b9850ac31d806 SAN->dNSName: *.thameswater.co.uk https://crt.sh/?id=249452544 Serial number: 4c834767e44ecbd0cdef8e60c04dcf32 SAN->dNSName: r02s06.nex.yahoo.com https://crt.sh/?id=153622290 Serial number: a18e9 Domain name: [www.]vwiscada.com https://crt.sh/?id=42223834 On 07/11/17 18:27, Jeremy Rowley via dev-security-policy wrote: I believe so – I asked that they all be logged, but I’ll need to double check whether it got done. From: Alex Gaynor [mailto:agay...@mozilla.com] Sent: Tuesday, November 7, 2017 11:23 AM To: Jeremy RowleyCc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: DigiCert ROCA fingerprint incident report Hi Jeremy, Have all these certificates been submitted to CT? Thanks! Alex On Tue, Nov 7, 2017 at 1:20 PM, Jeremy Rowley via dev-security-policy > wrote: Hey everyone, Here's the DigiCert incident report about the ROCA fingerprints. Note that these were all issued by Symantec (ie, before the transaction closed). We became aware of the issue when it was posted to the mailing list. However, at that time, the certs were not operated by DigiCert. We became aware that DigiCert needed to take action on close (Nov 1). At that time, the new combined team launched an investigation to determine the impacted certs. Six certs were identified and revoked: 4a907fbfc90eb043c50c9c8ace6305a1 8008c178d0d4cd3d79acc09f6ac132c 2dab9a2d40a2f55c5d705551cf7cafe5 306b67f5c25ee0fd495d2be88979eb72 7c7b826b183093ba1e5b9850ac31d806 4c834767e44ecbd0cdef8e60c04dcf32 These certs were all revoked around Nov 3, within 24 hours of identifying the impacted certs at DigiCert. Jeremy -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Third party use of OneCRL
Hi Gerv, thanks a lot! Currently we don't know yet if the download would be centralized or per host as we are just figuring out the concept. I totally see that large numbers of requests would be something we need to talk about with you first. Have a nice day Niklas 2017-11-08 9:13 GMT+01:00 Gervase Markham: > On 07/11/17 14:08, niklas.bachma...@googlemail.com wrote: > > I'm working for a big managed security provider. We would like to > > benefit from OneCRL as a means of improving our certificate > > revocation checking. > > As in, you'd like to download one copy per day, or you'd like 100,000 > clients to download one copy per day? > > > I could download OneCRL at > > https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/ > collections/certificates/records. > > My question is if there is a license on OneCRL or if we are free to > > use it? > > We have not put an explicit license on the data but certainly, in > keeping with Mozilla's principles of openness and sharing, it is > available for all to use. However, that doesn't mean our IT team might > not take action against clients making abusively large numbers of > requests. So if your usage of the list might get noticed, it would be > wise to talk to us first. > > > Further I'm wondering if Mozilla has already thought about > > third party users and provides another way of getting the most recent > > version of OneCRL than getting the above mentioned website and > > comparing if the content has changed? > > What other method might you have in mind that would be better than a > computer-readable highly-available web service? I suspect if you send it > an If-Modified-Since or other similar headers you might also get a Not > Modified response rather than another copy of the data. But look at the > code for Kinto or ask the people who wrote it. > > Gerv > > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Third party use of OneCRL
On 07/11/17 14:08, niklas.bachma...@googlemail.com wrote: > I'm working for a big managed security provider. We would like to > benefit from OneCRL as a means of improving our certificate > revocation checking. As in, you'd like to download one copy per day, or you'd like 100,000 clients to download one copy per day? > I could download OneCRL at > https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/certificates/records. > My question is if there is a license on OneCRL or if we are free to > use it? We have not put an explicit license on the data but certainly, in keeping with Mozilla's principles of openness and sharing, it is available for all to use. However, that doesn't mean our IT team might not take action against clients making abusively large numbers of requests. So if your usage of the list might get noticed, it would be wise to talk to us first. > Further I'm wondering if Mozilla has already thought about > third party users and provides another way of getting the most recent > version of OneCRL than getting the above mentioned website and > comparing if the content has changed? What other method might you have in mind that would be better than a computer-readable highly-available web service? I suspect if you send it an If-Modified-Since or other similar headers you might also get a Not Modified response rather than another copy of the data. But look at the code for Kinto or ask the people who wrote it. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy