...@sleevi.com]
> *Sent:* Monday, January 15, 2018 4:56 PM
> *To:* Doug Beattie
> *Cc:* r...@sleevi.com; mozilla-dev-security-pol...@lists.mozilla.org;
> Gervase Markham ; Wayne Thayer
> *Subject:* Re: Possible Issue with Domain Validation Method 9 in a shared
> hosting environm
...@sleevi.com]
Sent: Monday, January 15, 2018 4:56 PM
To: Doug Beattie
Cc: r...@sleevi.com; mozilla-dev-security-pol...@lists.mozilla.org; Gervase
Markham ; Wayne Thayer
Subject: Re: Possible Issue with Domain Validation Method 9 in a shared hosting
environment
As suggested, we encourage you to
On Mon, Jan 15, 2018 at 4:54 PM, Eric Mill wrote:
> I can only go on what's on the public list, but if it is as it appears and
> GS proactively researched their offering, identified a similar weakness via
> a separate BR method, and voluntarily turned off their implementation right
> away, that i
yne Thayer
> *Subject:* Re: Possible Issue with Domain Validation Method 9 in a shared
> hosting environment
>
>
>
>
>
>
>
> On Mon, Jan 15, 2018 at 3:36 PM, Doug Beattie via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>
On Mon, Jan 15, 2018 at 4:22 PM, Ryan Sleevi wrote:
>
>
> On Mon, Jan 15, 2018 at 4:11 PM, Eric Mill via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> That said, GlobalSign's offer to cut certificate lifetimes down to X
>> months
>> during the short-term, and to make
From: Ryan Sleevi [mailto:r...@sleevi.com]
Sent: Monday, January 15, 2018 4:14 PM
To: Doug Beattie
Cc: r...@sleevi.com; mozilla-dev-security-pol...@lists.mozilla.org; Gervase
Markham ; Wayne Thayer
Subject: Re: Possible Issue with Domain Validation Method 9 in a shared hosting
environment
On Mon, Jan 15, 2018 at 4:11 PM, Eric Mill via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> That said, GlobalSign's offer to cut certificate lifetimes down to X months
> during the short-term, and to make sure OneClick is disabled within Y
> months from now, seems like a r
On Mon, Jan 15, 2018 at 3:36 PM, Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Ryan,
>
> I’m not sure where we go from here.
As suggested, we encourage you to work on devising technical mitigations or
alternative methods of validating such certificates th
On Mon, Jan 15, 2018 at 2:30 PM, Ryan Sleevi via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Mon, Jan 15, 2018 at 1:18 PM, Doug Beattie >
> wrote:
>
> >
> > - The potential risk in maintaining this whitelist, given both the
> > statements provided by plans to move to
> -Original Message-
> From: Nick Lamb [mailto:n...@tlrmx.org]
> Sent: Monday, January 15, 2018 2:39 PM
>
> > - Total number of active OneClick customers: < 10
>
> What constitutes a OneClick customer in this sense?
These are web hosting companies that receive certificates for t
, January 15, 2018 2:31 PM
To: Doug Beattie
Cc: r...@sleevi.com; Wayne Thayer ; Gervase Markham
; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Possible Issue with Domain Validation Method 9 in a shared hosting
environment
On Mon, Jan 15, 2018 at 1:18 PM, Doug Beattie
On Mon, 15 Jan 2018 18:18:10 +
Doug Beattie via dev-security-policy
wrote:
> - Total number of active OneClick customers: < 10
What constitutes a OneClick customer in this sense?
The focus of concern for tls-sni-01 was service providers who present
an HTTPS endpoint for many indepe
.com; mozilla-dev-security-policy@
> lists.mozilla.org
> *Subject:* Re: Possible Issue with Domain Validation Method 9 in a shared
> hosting environment
>
>
>
> (Wearing a Google Hat)
>
>
>
> Doug,
>
>
>
> Thanks for sharing additional details. On the basis of what you
From: Ryan Sleevi [mailto:r...@sleevi.com]
Sent: Friday, January 12, 2018 5:53 PM
To: Doug Beattie
Cc: Wayne Thayer ; Gervase Markham ;
r...@sleevi.com; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Possible Issue with Domain Validation Method 9 in a shared hosting
environment
Sleevi,
Valid point, no intention to confuse, I have no current affiliation with
GlobalSign, though I once did.
The documentation that described the protocol seems to no longer be online,
the behavior is observable and has been discussed in the validation working
group within the CABFORUM so it i
On Sat, Jan 13, 2018 at 8:46 PM, Ryan Hurst via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Friday, January 12, 2018 at 6:10:00 PM UTC-8, Matt Palmer wrote:
> > On Fri, Jan 12, 2018 at 02:52:54PM +, Doug Beattie via
> dev-security-policy wrote:
> > > I’d like to fo
On Friday, January 12, 2018 at 6:10:00 PM UTC-8, Matt Palmer wrote:
> On Fri, Jan 12, 2018 at 02:52:54PM +, Doug Beattie via
> dev-security-policy wrote:
> > I’d like to follow up on our investigation and provide the community with
> > some more information about how we use Method 9.
> >
> >
On Fri, Jan 12, 2018 at 02:52:54PM +, Doug Beattie via dev-security-policy
wrote:
> I’d like to follow up on our investigation and provide the community with
> some more information about how we use Method 9.
>
> 1) Client requests a test certificate for a domain (only one FQDN)
Does t
On Fri, Jan 12, 2018 at 4:24 PM, Doug Beattie
wrote:
> Wayne,
>
>
>
> We didn’t really investigate wildcard issuance yet, but we can.
>
>
>
> Given the discuss so far, we’re planning to proceed with a whitelisting
> approach tomorrow and we will plan to end the use of Method 9 (schedule
> TBD) wh
...@lists.mozilla.org
Subject: Re: Possible Issue with Domain Validation Method 9 in a shared hosting
environment
On Fri, Jan 12, 2018 at 11:21 AM, Doug Beattie
mailto:doug.beat...@globalsign.com>> wrote:
Normally a web hosting provider should not let you set SNI for a domain someone
else is
On Fri, Jan 12, 2018 at 11:21 AM, Doug Beattie
wrote:
>
>
> Normally a web hosting provider should not let you set SNI for a domain
> someone else is using, especially on that IP address. I think this is
> where method 9 deviates from method 10.
>
>
>
I agree, it seems somewhat less likely that
Wayne and Gerv,
I’ll try to answer both of your questions here.
From: Wayne Thayer [mailto:wtha...@mozilla.com]
Sent: Friday, January 12, 2018 11:03 AM
To: Doug Beattie
Cc: r...@sleevi.com; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Possible Issue with Domain Validation Method 9
On 12/01/18 14:52, Doug Beattie wrote:
> For shared IP address environments, it may be possible to receive a
> certificate for a domain you don’t actually control, but a number of
> things need to happen in order for this to be successful. What can
> go wrong?
Doug: what do you see as the exact d
Doug,
I have some questions:
>
> c.The hosting company must allow you to manually create and upload
> a CSR for a site you don’t own
>
> Did you mean to say 'certificate' here instead of 'CSR'?
d. The user must be able to trick the hosting provider to enable SNI
> for this domain a
Subject: Re: Possible Issue with Domain Validation Method 9 in a shared hosting
environment
On Thu, Jan 11, 2018 at 4:50 PM, Doug Beattie via dev-security-policy
mailto:dev-security-policy@lists.mozilla.org>>
wrote:
Based on reported issues with TLS-SNI-01, we started investigation
On Thu, Jan 11, 2018 at 4:50 PM, Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> Based on reported issues with TLS-SNI-01, we started investigation of our
> systems late yesterday regarding the use of "Test Certificate" validation,
> BR section 3.2.2.4.9.
26 matches
Mail list logo