Re: CA-issued certificates for publicly-available private keys VU#553544

2019-04-04 Thread Wayne Thayer via dev-security-policy
On Thu, Apr 4, 2019 at 7:57 AM CERT Coordination Center wrote: > Thanks Rob! > > Actually, as I look at one of these cases: > > https://crt.sh/?spkisha256=8628d8106b72c39d98e8e731fc3b9364940efea0dfbb4816b1382542a979c834 > > The latest certificate using the above key expires in just a few days. >

Re: CA-issued certificates for publicly-available private keys VU#553544

2019-04-04 Thread CERT Coordination Center via dev-security-policy
Thanks Rob! Actually, as I look at one of these cases: https://crt.sh/?spkisha256=8628d8106b72c39d98e8e731fc3b9364940efea0dfbb4816b1382542a979c834 The latest certificate using the above key expires in just a few days. But you can see the track record of the same private key being used repeatedly

Re: CA-issued certificates for publicly-available private keys VU#553544

2019-04-04 Thread Rob Stradling via dev-security-policy
I've just created a batch for this second list on the Revocation Tracker: https://misissued.com/batch/49/ On 03/04/2019 15:50, CERT Coordination Center wrote: > Hi Wayne, > > Sorry about the delay in getting back to you. This first round of CA > notifications went out at approximately 10AM

Re: CA-issued certificates for publicly-available private keys VU#553544

2019-04-03 Thread CERT Coordination Center via dev-security-policy
Hi Wayne, Sorry about the delay in getting back to you. This first round of CA notifications went out at approximately 10AM Eastern time on March 25, 2019. I just sent out a new set of notifications. This time the notifications were limited only currently-valid certificates, as expired-cert

RE: CA-issued certificates for publicly-available private keys VU#553544

2019-03-26 Thread Tim Shirley via dev-security-policy
, 2019 8:44 PM To: Rob Stradling Cc: dev-security-policy@lists.mozilla.org; CERT Coordination Center Subject: Re: CA-issued certificates for publicly-available private keys VU#553544 Thank you for the report Will and for the tracking info Rob. It appears that all but one of these certificates

Re: CA-issued certificates for publicly-available private keys VU#553544

2019-03-25 Thread Wayne Thayer via dev-security-policy
Thank you for the report Will and for the tracking info Rob. It appears that all but one of these certificates is currently revoked, but roughly 5 more weren't revoked until earlier today, which I assume was more than 24 hours since they were reported to the CA. Will: can you share an

Re: CA-issued certificates for publicly-available private keys VU#553544

2019-03-25 Thread Rob Stradling via dev-security-policy
I've just created a batch for this list on the Revocation Tracker: https://misissued.com/batch/47/ On 22/03/2019 19:05, CERT Coordination Center via dev-security-policy wrote: > Hi folks, > > I'm sharing this information with this list per suggestion of Hanno > Böck. Some time ago we started

CA-issued certificates for publicly-available private keys VU#553544

2019-03-22 Thread CERT Coordination Center via dev-security-policy
Hi folks, I'm sharing this information with this list per suggestion of Hanno Böck. Some time ago we started looking at private keys that are included with Android apps that are publicly available in the Google Play store. Some subset of these keys have been used to obtain certificates from CAs