0, 2019 4:47 PM
> To: Wayne Thayer
> Cc: Alex Cohn ; Alex Gaynor ;
> mozilla-dev-security-pol...@lists.mozilla.org; Buschart, Rufus
> ; Hanno Böck
> Subject: RE: AlwaysOnSSL web security issues
>
> Yes – we will do so. We’ve encouraged all customers to not generate ke
Böck
; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: AlwaysOnSSL web security issues
Thanks Jeremy. The fact that CertCenter is just a reseller and not an RA was
not obvious to me. To your point, building an insecure website on top of a CA's
API does not strike me as something
To: Buschart, Rufus
> Cc: Alex Cohn ;
> mozilla-dev-security-pol...@lists.mozilla.org; Hanno Böck >
> Subject: Re: AlwaysOnSSL web security issues
>
> The Mozilla policy does not prohibit backdating, except when it's used to
> evade time-based policy controls.
>
> Back
On 10/01/2019 19:00, Jeremy Rowley wrote:
> A couple of thoughts:
> 1) CertCenter is not a CA or RA. They have a custom named ICA that is hosted
> and operated by DigiCert. All validation, issuance, and linting is performed
> by DigiCert prior to issuance.
> 2) Lots of cert customers have
Cohn ;
mozilla-dev-security-pol...@lists.mozilla.org; Hanno Böck
Subject: Re: AlwaysOnSSL web security issues
The Mozilla policy does not prohibit backdating, except when it's used to evade
time-based policy controls.
Backdating certs by a few hours is a relatively common practice to minimize
The Mozilla policy does not prohibit backdating, except when it's used to
evade time-based policy controls.
Backdating certs by a few hours is a relatively common practice to minimize
breakages for consumers with busted clocks.
Alex
On Thu, Jan 10, 2019 at 4:43 AM Buschart, Rufus via
The certificate [1] seems also to be 'back-dated' by about 18 hours. What is
Mozillas opinion about this in the light of
https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Backdating_the_notBefore_Date
?
> It appears AlwaysOnSSL is not completely disabled - if we trust CT as a
>
Hi,
It appears AlwaysOnSSL is not completely disabled - if we trust CT as
a timestamping service, [1] was issued after Hanno's email.
I believe AlwaysOnSSL has at least two separate paths to issuance - in
addition to the website, there's also an API on CertCenter's website.
[2] While reading the
Hi,
AlwaysOnSSL was a free certificate authority operated by CertCenter.
I recently noticed that their main webpage was gone, but pieces of the
service were still online.
I immediately found a few web security issues. I reported those to
certcenter and digicert (which is the root CA their
9 matches
Mail list logo
