Re: Nation State MITM CA's ?

2019-08-07 Thread RS Tyler Schroder via dev-security-policy
News reports[1][2] are now showing that the certificate has been "cancelled". I do not have a way to verify that it has been revoked independently at this time. Sources: [1] https://tsarka.org/post/national-certificate-cancelled [2] https://www.reuters.com/article/us-kazakhstan-internet-surveill

RE: [EXT]Unretrievable CPS documents listed in CCADB

2019-05-03 Thread (RS) Tyler Schroder via dev-security-policy
Hi Corey, FWIW, at least one of those CAs are no longer active, such as 5388 WoSign: https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/ - do old CAs get removed from CCADB or marked inactive in that system? I do like the idea of linking the specific d

Re: Comodo Rebrand to Sectigo

2018-11-07 Thread (RS) Tyler Schroder via dev-security-policy
Thanks for the clarification! That makes much more sense. -Tyler On 11/7/2018 6:28 AM, Rob Stradling via dev-security-policy wrote: > CAUTION: This message was sent from outside the company. > > > On 07/11/2018 01:36, RS Tyler Schroder via dev-security-policy wrote: >> Based

Comodo Rebrand to Sectigo

2018-11-06 Thread RS Tyler Schroder via dev-security-policy
Based on a recent visit to crt.sh , Comodo has rebranded to Sectigo (Talked with Wayne off-list to confirm there's no announcement required under BR Sec. 8, so just posting it for general awareness / discussion) -Tyler ___ dev-

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

2018-10-09 Thread (RS) Tyler Schroder via dev-security-policy
The legal definition that I came acrosss is " In United States law, a stipulation is a formal legal acknowledgment and agreement made between opposing parties before a pending hearing or trial

Re: Incident Report - Misissuance of one certificate without DNS CAA authorization (Certigna)

2018-09-12 Thread RS Tyler Schroder via dev-security-policy
> The unqualified mention of "September 8" confused me at first, but it > obviously refers to the "CAA Mandatory BR" taking effect on "September > 8, 2017", thus the single misissuance probably happened between > September 8, 2017 and when they changed the policy on August 31, 2018. > > However

Re: Incident Report - Misissuance of one certificate without DNS CAA authorization (Certigna)

2018-09-12 Thread RS Tyler Schroder via dev-security-policy
On Tuesday, September 11, 2018 at 3:34:45 AM UTC-4, josselin@gmail.com wrote: > The audit of our previous CAA check practices ensured that the CA/B Forum > requirements were met except for a single certificate for which the CA was > not authorized to issue according to the DNS CAA record. >

Re: Trustico code injection

2018-03-01 Thread RS Tyler Schroder via dev-security-policy
On Thursday, March 1, 2018 at 2:43:05 PM UTC-5, Tom wrote: > > Therefore, it is not unreasonable to assume that this key has been > > compromised. > > > So it means that any private keys generated on that website could be > compromised: > - If any third-party JS were compromised (and we know ho

Re: Trustico code injection

2018-03-01 Thread RS Tyler Schroder via dev-security-policy
On Thursday, March 1, 2018 at 12:59:17 PM UTC-5, Matthew Hardeman wrote: > By this point, one would imagine that reputational risks would prevent any > CA from working with Trustico. > > On Thu, Mar 1, 2018 at 11:56 AM, Hector Martin 'marcan' via > dev-security-policy wrote: > > > On 2018-03-02