Re: potential audit delay due to issue with CPA Canada

2018-02-26 Thread Wayne Thayer via dev-security-policy
If you have the letters from your auditor, you can upload them as an attachment to a Bugzilla bug, then submit the links in your CCADB audit case. It's preferable to be able to verify the audit letters via the seal on the WebTrust site, but Mozilla doesn't require it - we can contact the auditor

potential audit delay due to issue with CPA Canada

2018-02-26 Thread josh--- via dev-security-policy
We (ISRG / Let's Encrypt) have completed our 2017 WebTrust audits, the letters are written and signed, but CPA Canada is unable to process our final seals due to a personnel issue on their end. Nobody who can sign off is available, and apparently it could take another 2+ weeks for them to

Re: Code signing and malware

2018-02-26 Thread Kurt Roeckx via dev-security-policy
On Tue, Feb 27, 2018 at 12:09:01AM +0100, Jakob Bohm via dev-security-policy wrote: > > Hence why an investigation is needed by the 3 CAs named in the paper > (Comodo, Digicert and Apple). They will probably have to do some deep > log inspection to figure out patterns, besides reaching out to

Re: Code signing and malware

2018-02-26 Thread Jakob Bohm via dev-security-policy
On 26/02/2018 21:28, Ryan Sleevi wrote: On Mon, Feb 26, 2018 at 3:05 PM, Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On Mon, Feb 26, 2018 at 12:23 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 26/02/2018

Re: Code signing and malware

2018-02-26 Thread Ryan Sleevi via dev-security-policy
On Mon, Feb 26, 2018 at 3:05 PM, Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Mon, Feb 26, 2018 at 12:23 PM, Jakob Bohm via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > On 26/02/2018 10:27, Kurt Roeckx wrote: > > > >> I

Re: Code signing and malware

2018-02-26 Thread Ryan Sleevi via dev-security-policy
On Mon, Feb 26, 2018 at 2:23 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 26/02/2018 10:27, Kurt Roeckx wrote: > >> I just came across this: >> >> https://www.recordedfuture.com/code-signing-certificates/ >> >> I think the most important part of it

Re: Code signing and malware

2018-02-26 Thread Jakob Bohm via dev-security-policy
On 26/02/2018 10:27, Kurt Roeckx wrote: I just came across this: https://www.recordedfuture.com/code-signing-certificates/ I think the most important part of it is: "we confirmed with a high degree of certainty that the certificates are created for a specific buyer per request only and are

Re: Code signing and malware

2018-02-26 Thread Wayne Thayer via dev-security-policy
The article also claims that bad actors are selling EV SSL certificates that they obtain for real companies without their knowledge: "to guarantee the issuance and lifespan of the products, all certificates are registered using the information of real corporations. With a high degree of

Code signing and malware

2018-02-26 Thread Kurt Roeckx via dev-security-policy
I just came across this: https://www.recordedfuture.com/code-signing-certificates/ I think the most important part of it is: "we confirmed with a high degree of certainty that the certificates are created for a specific buyer per request only and are registered using stolen corporate