I checked the certificate that it is a client certificate issued the personal
-- PANG Ming Sum:
CN = PANG Ming Sum
E = todd.p...@autotoll.com.hk
OU = AUTOTOLL LIMITED
OU = 21506338215100635386
OU = 0001890584
O = Hongkong Post e-Cert (Organisational)
C = HK
The problem is this certificate do
On Wed, 17 Aug 2016 11:43:45 -0700 (PDT)
cspann...@gmail.com wrote:
> On Wednesday, August 17, 2016 at 10:31:29 AM UTC-7, Andrew Ayer wrote:
> > The attacker has to be able to control (or predict) the prefix of
> > the data signed by the CA (which in the case of a TBSCertificate,
> > includes the
On Wed, Aug 17, 2016 at 11:43:45AM -0700, cspann...@gmail.com wrote:
> On Wednesday, August 17, 2016 at 10:31:29 AM UTC-7, Andrew Ayer wrote:
> > The attacker has to be able to control (or predict) the prefix of the
> > data signed by the CA (which in the case of a TBSCertificate, includes
> > the
On Wednesday, August 17, 2016 at 10:31:29 AM UTC-7, Andrew Ayer wrote:
> The attacker has to be able to control (or predict) the prefix of the
> data signed by the CA (which in the case of a TBSCertificate, includes
> the serial number), as well as the prefix of the forged certificate.
> However, t
On Wed, 17 Aug 2016 19:08:08 +0200
Kurt Roeckx wrote:
> On Wed, Aug 17, 2016 at 09:55:24AM -0700, Ryan Sleevi wrote:
> > > I don't think adding that CA certificate to OneCRL is enough,
> > > that would only protect Mozilla users. They should revoke all
> > > the relevant certificates.
> >
> > D
On Wed, Aug 17, 2016 at 09:55:24AM -0700, Ryan Sleevi wrote:
> > I don't think adding that CA certificate to OneCRL is enough, that would
> > only protect Mozilla users. They should revoke all the relevant
> > certificates.
>
> Define "relevant"? If a SHA-1 collision has been mounted, Hongkong
On Wednesday, August 17, 2016 at 3:56:55 AM UTC-7, Nick Lamb wrote:
> Mozilla's users are threatened by attacks on the Web PKI even if those
> attacks don't work on Firefox itself. Most of its users rely on an OS made by
> the other trust store operators, and in which almost all TLS-capable
> co
On Wednesday, August 17, 2016 at 2:55:50 AM UTC-7, Kurt Roeckx wrote:
> I don't see that being asked, it was just pointed out that this is a
> violation of the BR requirements, and that the CA certificate might get
> added to OneCRL preventing it's use to issue certificates for server
> authenti
On Wednesday, August 17, 2016 at 2:53:38 AM UTC-7, ma...@certizen.com wrote:
> Through our effort of sunsetting the "Hongkong Post e-Cert CA 1 - 10" for SSL
> certificate, majority of SHA-1 SSL certificates will be expired by 31 Dec
> 2016, remaining only a few SHA-1 SSL certificates that are val
On Wednesday, 17 August 2016 04:24:27 UTC+1, Ryan Sleevi wrote:
> That options pretty much a non-starter for reasons best not speculated about,
> but I'm curious: Why or how would that improve the security of Mozilla users?
> And if it doesn't meaningfully improve their security, how would it at
On 2016-08-17 11:24, Matt Palmer wrote:
On Wed, Aug 17, 2016 at 10:22:13AM +0200, Kurt Roeckx wrote:
On 2016-08-17 00:23, Ryan Sleevi wrote:
Practically speaking, what steps could be taken?
6) Ask them to immediately stop issuing SHA-1 based certificates that chain
back to any of the root cer
On Wednesday, August 17, 2016 at 3:02:26 PM UTC+8, Matt Palmer wrote:
> On Tue, Aug 16, 2016 at 10:22:36PM -0700, ma...@certizen.com wrote:
> > and have been issuing SHA-256 SSL certificates under "Hongkong Post e-Cert
> > CA 1- 14" and "Hongkong Post e-Cert CA 1 - 15" respectively
>
> "respective
On Wed, Aug 17, 2016 at 10:22:13AM +0200, Kurt Roeckx wrote:
> On 2016-08-17 00:23, Ryan Sleevi wrote:
> >Practically speaking, what steps could be taken?
>
> 6) Ask them to immediately stop issuing SHA-1 based certificates that chain
> back to any of the root certificates in the Mozilla root stor
On 2016-08-16 21:42, Kathleen Wilson wrote:
Root Certificates:
Autoridad de Certificacion Firmaprofesional CIF A62634068
[...]
2) jurisdictionOfIncorporation should be PrintableString coded, but we
code it in UTF8: we fail to understand this requirement when UTF8 is
more recent and to encod
On 2016-08-17 00:23, Ryan Sleevi wrote:
Practically speaking, what steps could be taken?
6) Ask them to immediately stop issuing SHA-1 based certificates that
chain back to any of the root certificates in the Mozilla root store,
and revoke the one they shouldn't have issued. If they fail to
On Tue, Aug 16, 2016 at 10:22:36PM -0700, ma...@certizen.com wrote:
> and have been issuing SHA-256 SSL certificates under "Hongkong Post e-Cert
> CA 1- 14" and "Hongkong Post e-Cert CA 1 - 15" respectively
"respectively" in what sense?
> This certificate is a client certificate issued to a perso
16 matches
Mail list logo
