On Friday, March 15, 2019 at 12:53:15 PM UTC-7, Daymion Reynolds wrote:
> On Friday, March 15, 2019 at 12:45:39 PM UTC-7, Ryan Sleevi wrote:
> > On Fri, Mar 15, 2019 at 3:35 PM Daymion Reynolds via dev-security-policy <
> > dev-security-policy@lists.mozilla.org> wrote:
>
On Friday, March 15, 2019 at 12:45:39 PM UTC-7, Ryan Sleevi wrote:
> On Fri, Mar 15, 2019 at 3:35 PM Daymion Reynolds via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > > On Wednesday, March 13, 2019 at 8:17:00 PM UTC-4
On Friday, March 15, 2019 at 12:35:47 PM UTC-7, Daymion Reynolds wrote:
> On Friday, March 15, 2019 at 12:25:37 PM UTC-7, ad...@adamcaudill.com wrote:
> > Daymion,
> >
> > (Apologies in advance if I've missed something that led to these results.
> > These results rely on the crt.sh database,
On Friday, March 15, 2019 at 12:25:37 PM UTC-7, ad...@adamcaudill.com wrote:
> Daymion,
>
> (Apologies in advance if I've missed something that led to these results.
> These results rely on the crt.sh database, which I will admit to being less
> familiar with than I would like.)
>
> While
On Thursday, March 14, 2019 at 3:13:51 PM UTC-7, Jaime Hablutzel wrote:
> > 64bits_entropy = GetRandom64Bits() //This returns 64 random bits from a
> > CSPRNG with at least one bit in the highest byte set to 1
> >
> > is, strictly speaking, not true. The best possible implementation for
> >
On Thursday, March 7, 2019 at 7:01:41 PM UTC-7, Daymion Reynolds wrote:
> As of 9pm AZ on 3/6/2019 GoDaddy started researching the 64bit certificate
> Serial Number issue. We have identified a significant quantity of
> certificates (> 1.8million) not meeting the 64bit serial number requirement.
On Tuesday, March 12, 2019 at 11:32:38 AM UTC-7, Ryan Sleevi wrote:
> On Tue, Mar 12, 2019 at 2:22 PM Daymion Reynolds via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > The crux of the difference is in the DER format interpretation. The fact
>
On Tuesday, March 12, 2019 at 9:54:56 AM UTC-7, ad...@adamcaudill.com wrote:
> Daymion,
>
> You linked to a thread in m.d.s.p and cited it as confirming a specific
> interpretation of 7.1 - as that's a long thread (with some possible
> questionable information), could you possibly share what
As of 9pm AZ on 3/6/2019 GoDaddy started researching the 64bit certificate
Serial Number issue. Due to a m.d.s.p.[1] discussion validating an
interpretation of BR 7.1 our revised count is approximately 12,152 live
certificates not meeting the 64bit serial number requirement. Additionally, we
On Monday, March 11, 2019 at 8:57:27 AM UTC-7, Ryan Sleevi wrote:
> I don’t think there’s anything inherently wrong with an approach that uses
> a fixed prefix, whether of one bit or more, provided that there is at least
> 64 bits of entropy included in the serial prior to encoding to DER.
>
>
On Saturday, March 9, 2019 at 5:15:50 PM UTC-7, Wayne Thayer wrote:
> On Sat, Mar 9, 2019 at 12:49 PM Dimitris Zacharopoulos via
> dev-security-policy wrote:
>
> >
> > The question I'm having trouble answering, and I would appreciate if
> > this was answered by the Mozilla CA Certificate Policy
Our goal is to reissue all the certificates within the next 30 days. We have
started the revocation process. We have a significant number of customers that
use manual methods for managing their certificates, so being agile for them is
difficult. We want to keep our customers using https through
As of 9pm AZ on 3/6/2019 GoDaddy started researching the 64bit certificate
Serial Number issue. We have identified a significant quantity of certificates
(> 1.8million) not meeting the 64bit serial number requirement. We are still
performing accounting so certificate quantity is expected to
d ensure such
> issuance will not be repeated in the future, accompanied with a timeline of
> when your CA expects to accomplish these things.
>
> - Wayne
>
> [1] https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report
>
> On Mon, Aug 20, 2018 at 9:26 AM Daymion Reynolds
On Saturday, August 18, 2018 at 2:27:05 PM UTC-7, Ben Laurie wrote:
> On Fri, 17 Aug 2018 at 18:22, Daymion Reynolds via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > Revoke Disclosure
> >
> > GoDaddy has been proactivel
Revoke Disclosure
GoDaddy has been proactively performing self-audits. As part of this process,
we identified a vulnerability in our code that would allow our validation
controls to be bypassed. This bug would allow for a Random Value that was
generated for intended use with Method 3.2.2.4.6
Jul 20, 2018 at 6:39 PM Daymion Reynolds via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > The certificates were identified by analyzing results from both zlint and
> > certlint. We also verified all lint findings against current and past BRs.
Revoke Notification
GoDaddy has been proactively auditing certificates under management. We have
identified 1000 certificates having one or more of the 6 issues defined below.
The majority of these certs are 3yrs old or older. Most are from 2013 or
before.
The certificates were identified
CA first become aware:
We first became aware of the malformed certificates
https://crt.sh/?id=250008707=cablint,x509lint,zlint,ocsp &
https://crt.sh/?id=49843724=zlint,cablint,x509lint,ocsp via a Bugzilla bug
report on 5/18 and an email to practices@.
Timeline of the actions:
5/18 1am
As an FYI only:
We did review the one cert cited below for term length. The certificate was
issued in 2013 before the current max term duration was defined. This cert is
grandfathered in and does not require revocation. In May of this year it
expires.
regards,
Daymion
On Sunday, April 1,
Godaddy LLC first became aware of possible ROCA vulnerability exposure on
Monday October 16th 2017 at 9:30am. The following are the steps we took for
detection, revocation, and the permanent fix of certificate provisioning:
• Monday October 16th 2017 AZ, first became aware of the ROCA
21 matches
Mail list logo
