If you have the letters from your auditor, you can upload them as an
attachment to a Bugzilla bug, then submit the links in your CCADB audit
case. It's preferable to be able to verify the audit letters via the seal
on the WebTrust site, but Mozilla doesn't require it - we can contact the
auditor
We (ISRG / Let's Encrypt) have completed our 2017 WebTrust audits, the letters
are written and signed, but CPA Canada is unable to process our final seals due
to a personnel issue on their end. Nobody who can sign off is available, and
apparently it could take another 2+ weeks for them to
On Tue, Feb 27, 2018 at 12:09:01AM +0100, Jakob Bohm via dev-security-policy
wrote:
>
> Hence why an investigation is needed by the 3 CAs named in the paper
> (Comodo, Digicert and Apple). They will probably have to do some deep
> log inspection to figure out patterns, besides reaching out to
On 26/02/2018 21:28, Ryan Sleevi wrote:
On Mon, Feb 26, 2018 at 3:05 PM, Wayne Thayer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
On Mon, Feb 26, 2018 at 12:23 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
On 26/02/2018
On Mon, Feb 26, 2018 at 3:05 PM, Wayne Thayer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Mon, Feb 26, 2018 at 12:23 PM, Jakob Bohm via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > On 26/02/2018 10:27, Kurt Roeckx wrote:
> >
> >> I
On Mon, Feb 26, 2018 at 2:23 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 26/02/2018 10:27, Kurt Roeckx wrote:
>
>> I just came across this:
>>
>> https://www.recordedfuture.com/code-signing-certificates/
>>
>> I think the most important part of it
On 26/02/2018 10:27, Kurt Roeckx wrote:
I just came across this:
https://www.recordedfuture.com/code-signing-certificates/
I think the most important part of it is: "we confirmed with a high
degree of certainty that the certificates are created for a specific
buyer per request only and are
The article also claims that bad actors are selling EV SSL certificates
that they obtain for real companies without their knowledge:
"to guarantee the issuance and lifespan of the products, all certificates
are registered using the information of real corporations. With a high
degree of
I just came across this:
https://www.recordedfuture.com/code-signing-certificates/
I think the most important part of it is: "we confirmed with a high
degree of certainty that the certificates are created for a specific
buyer per request only and are registered using stolen corporate
9 matches
Mail list logo