On Fri, 16 Feb 2018 11:28:41 +
Arkadiusz Ławniczak via dev-security-policy
wrote:
> The issue was caused by incorrect calculation of the SHA1
> fingerprint of public key. Public keys hashes stored in Certum's
> database was calculated from the
Hello ALL
Please find our incident report below.
1. How your CA first became aware of the problem and the time and date.
1) 3 February 2018, 12:06 CET - Certum receives the message from
ha...@hboeck.de to rev...@certum.pl.
2. A timeline of the actions CERTUM took in
On 6/02/2018 17:10, Ryan Sleevi wrote:
The BRs actually seem to allow this, which at least looks like a bug in
the BRs to me.
It is allowed, and it's not a bug. It's specifically called out in 3.2.2 of
the BRs.
It seems that under 3.2.2.3 (b) they can just copy the ccTLD from the
domain
On Tue, Feb 6, 2018 at 10:48 AM, Kurt Roeckx via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 5/02/2018 17:08, Hanno Böck wrote:
>
>> https://crt.sh/?id=308392091=ocsp
>>
>
> It has:
> Subject:
> commonName= ftp.gavdi.pl
>
On 5/02/2018 17:08, Hanno Böck wrote:
https://crt.sh/?id=308392091=ocsp
It has:
Subject:
commonName= ftp.gavdi.pl
countryName = PL
This looks like a combination that's not allowed. Either it's domain
validated, in which case it should
On Mon, Feb 5, 2018 at 4:33 PM, Alex Cohn via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> I logged two of those five certificates (https://crt.sh/?id=308392091
> and https://crt.sh/?id=307753186) to Argon, as part of a project to
> log every certificate in the censys.io
I logged two of those five certificates (https://crt.sh/?id=308392091
and https://crt.sh/?id=307753186) to Argon, as part of a project to
log every certificate in the censys.io database to a public CT log. I
believe Censys found them by scanning all of IPv4 and grabbing the
default (i.e. no SNI)
On Mon, 5 Feb 2018 12:07:06 -0500
Eric Mill via dev-security-policy
wrote:
> WoSign and StartCom are untrusted, but Certum is still trusted, right?
Yes.
In case that was unclear: The sentence "As we all know these are no
longer trusted by Mozilla, ..."
I have filed https://bugzilla.mozilla.org/show_bug.cgi?id=1435770
requesting an incident report from Certum.
On Mon, Feb 5, 2018 at 10:07 AM, Eric Mill via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> WoSign and StartCom are untrusted, but Certum is still trusted, right?
WoSign and StartCom are untrusted, but Certum is still trusted, right?
On Mon, Feb 5, 2018 at 11:08 AM, Hanno Böck via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Hi,
>
> I searched crt.sh for valid certificates vulnerable to the 2008 Debian
> weak key bug. (Only 2048
10 matches
Mail list logo