I updated https://bugzilla.mozilla.org/show_bug.cgi?id=1299579#c9
with:
""
... here is the approach that we plan to take:
We will add the "Hongkong Post e-Cert CA 1 - 10" intermediate cert to OneCRL at
the end of October.
Please replace all of the SSL certs chaining up to this intermediate cert
On Thu, Sep 01, 2016 at 07:48:23PM +0800, Man Ho (Certizen) wrote:
>
> On 9/1/2016 6:13 PM, Matt Palmer wrote:
> > You might want to let them know it's time to get new certs.
> >
> > - Matt
> We did inform all subscribers back in October 2014 that SHA-1 SSL server
> cert was CEASED since 1
On Thursday, 1 September 2016 12:48:34 UTC+1, Man Ho (Certizen) wrote:
> We did inform all subscribers back in October 2014 that SHA-1 SSL server
> cert was CEASED since 1 January 2016, and reminded each of them
> individually that SHA-1 SSL server cert will no longer be trusted by
> browsers
On 9/1/2016 6:13 PM, Matt Palmer wrote:
> You might want to let them know it's time to get new certs.
>
> - Matt
We did inform all subscribers back in October 2014 that SHA-1 SSL server
cert was CEASED since 1 January 2016, and reminded each of them
individually that SHA-1 SSL server cert will no
On Thu, Sep 01, 2016 at 10:14:01AM +0800, Man Ho (Certizen) wrote:
> What about our existing SSL server certs, which are still valid until 31
> Dec 2016? Majority of those cert. subscribers are offering government
> and public services to residents of Hong Kong.
You might want to let them know
On 9/1/2016 3:52 AM, Nick Lamb wrote:
> It may make sense to explicitly tell Hongkong Post that it must not do
> anything which would have the effect of subverting/ undoing this change. For
> example, if Hongkong Post wants to create a new certificate for the
> intermediate "Hongkong Post
What about our existing SSL server certs, which are still valid until 31
Dec 2016? Majority of those cert. subscribers are offering government
and public services to residents of Hong Kong. And I believe the impact
to residents of Hong Kong will be huge when the browser suddenly prompt
a warning
On Wednesday, 31 August 2016 19:32:43 UTC+1, Kathleen Wilson wrote:
> Thanks to all of you who have provided thoughtful and constructive input into
> this discussion.
>
> I have filed https://bugzilla.mozilla.org/show_bug.cgi?id=1299579 to request
> that the "Hongkong Post e-Cert CA 1 - 10"
Thanks to all of you who have provided thoughtful and constructive input into
this discussion.
I have filed https://bugzilla.mozilla.org/show_bug.cgi?id=1299579 to request
that the "Hongkong Post e-Cert CA 1 - 10" intermediate cert be added to OneCRL.
See the bug for further details.
Kathleen
I checked the certificate that it is a client certificate issued the personal
-- PANG Ming Sum:
CN = PANG Ming Sum
E = todd.p...@autotoll.com.hk
OU = AUTOTOLL LIMITED
OU = 21506338215100635386
OU = 0001890584
O = Hongkong Post e-Cert (Organisational)
C = HK
The problem is this certificate
On Wed, 17 Aug 2016 11:43:45 -0700 (PDT)
cspann...@gmail.com wrote:
> On Wednesday, August 17, 2016 at 10:31:29 AM UTC-7, Andrew Ayer wrote:
> > The attacker has to be able to control (or predict) the prefix of
> > the data signed by the CA (which in the case of a TBSCertificate,
> > includes the
On Wed, 17 Aug 2016 19:08:08 +0200
Kurt Roeckx wrote:
> On Wed, Aug 17, 2016 at 09:55:24AM -0700, Ryan Sleevi wrote:
> > > I don't think adding that CA certificate to OneCRL is enough,
> > > that would only protect Mozilla users. They should revoke all
> > > the relevant
On Wed, Aug 17, 2016 at 09:55:24AM -0700, Ryan Sleevi wrote:
> > I don't think adding that CA certificate to OneCRL is enough, that would
> > only protect Mozilla users. They should revoke all the relevant
> > certificates.
>
> Define "relevant"? If a SHA-1 collision has been mounted, Hongkong
On Wednesday, August 17, 2016 at 2:53:38 AM UTC-7, ma...@certizen.com wrote:
> Through our effort of sunsetting the "Hongkong Post e-Cert CA 1 - 10" for SSL
> certificate, majority of SHA-1 SSL certificates will be expired by 31 Dec
> 2016, remaining only a few SHA-1 SSL certificates that are
On Wednesday, 17 August 2016 04:24:27 UTC+1, Ryan Sleevi wrote:
> That options pretty much a non-starter for reasons best not speculated about,
> but I'm curious: Why or how would that improve the security of Mozilla users?
> And if it doesn't meaningfully improve their security, how would it
On Wednesday, August 17, 2016 at 3:02:26 PM UTC+8, Matt Palmer wrote:
> On Tue, Aug 16, 2016 at 10:22:36PM -0700, ma...@certizen.com wrote:
> > and have been issuing SHA-256 SSL certificates under "Hongkong Post e-Cert
> > CA 1- 14" and "Hongkong Post e-Cert CA 1 - 15" respectively
>
>
On Wed, Aug 17, 2016 at 10:22:13AM +0200, Kurt Roeckx wrote:
> On 2016-08-17 00:23, Ryan Sleevi wrote:
> >Practically speaking, what steps could be taken?
>
> 6) Ask them to immediately stop issuing SHA-1 based certificates that chain
> back to any of the root certificates in the Mozilla root
On 2016-08-17 00:23, Ryan Sleevi wrote:
Practically speaking, what steps could be taken?
6) Ask them to immediately stop issuing SHA-1 based certificates that
chain back to any of the root certificates in the Mozilla root store,
and revoke the one they shouldn't have issued. If they fail to
On Tue, Aug 16, 2016 at 10:22:36PM -0700, ma...@certizen.com wrote:
> and have been issuing SHA-256 SSL certificates under "Hongkong Post e-Cert
> CA 1- 14" and "Hongkong Post e-Cert CA 1 - 15" respectively
"respectively" in what sense?
> This certificate is a client certificate issued to a
On Tuesday, August 16, 2016 at 11:53:24 AM UTC-7, Kathleen Wilson wrote:
> Our understanding: "The real problem here is that the issuing
> certificate is using sha-1 with predictable serial numbers. ... If a
> chosen-prefix attack on sha-1 were discovered... an attacker could use
> this CA to
20 matches
Mail list logo