See also: https://bugzilla.mozilla.org/show_bug.cgi?id=435013
On 06/09/16 18:55, Paul Wouters wrote:
> On Tue, 6 Sep 2016, Kyle Hamilton wrote:
>
>>> That seems unlikely to me (in that browsers don't really keep a server
>>> cert database).
>>
>> Has that changed? I talked with Dan Veditz (at Mo
Kyle,
It is one trying to say NSS doesn't let you have multiple certificates with the
same issuer and serial, which is factually true, but it's another to suggest
this means it pins as you described, which is incorrect speculation.
I appreciate your attention to detail citing X.509, but let's n
On 9/4/2016 02:04, Eddy Nigg wrote:
> On 09/02/2016 07:02 PM, Nick Lamb wrote:
>> On Friday, 2 September 2016 08:50:02 UTC+1, Eddy Nigg wrote:
>>> Lets speak about relying parties - how does this bug affect you?
>> As a relying party I am entitled to assume that there is no more than
>> one cert
On Tue, 6 Sep 2016, Kyle Hamilton wrote:
That seems unlikely to me (in that browsers don't really keep a server
cert database).
Has that changed? I talked with Dan Veditz (at Mozilla) around 5 years
ago regarding the fact that NSS had told me of duplicate serial numbers
being issued by a sing
On 9/6/2016 04:59, Ben Laurie wrote:
> On 1 September 2016 at 11:29, Peter Gutmann wrote:
>> Rob Stradling writes:
>>
I guess it makes them easy to revoke, if a single revocation can kill 313
certs at once.
>>> That's true.
>> Hey, WoSign has solved the CRL scalability problem!
>>
>>>
On Sun, Sep 04, 2016 at 12:04:21PM +0300, Eddy Nigg wrote:
> On 09/02/2016 07:02 PM, Nick Lamb wrote:
> > On Friday, 2 September 2016 08:50:02 UTC+1, Eddy Nigg wrote:
> > > Lets speak about relying parties - how does this bug affect you?
> > As a relying party I am entitled to assume that there is
On 09/02/2016 07:02 PM, Nick Lamb wrote:
On Friday, 2 September 2016 08:50:02 UTC+1, Eddy Nigg wrote:
Lets speak about relying parties - how does this bug affect you?
As a relying party I am entitled to assume that there is no more than one
certificate signed by a particular issuer with a cer
On Friday, 2 September 2016 08:50:02 UTC+1, Eddy Nigg wrote:
> Lets speak about relying parties - how does this bug affect you?
As a relying party I am entitled to assume that there is no more than one
certificate signed by a particular issuer with a certain serial number. If I
have seen this c
On 09/02/2016 09:38 AM, Jakob Bohm wrote:
4. Violations that are purely technical but cannot actually endanger
relying parties (such as issuing non-unique certificates to the correct
entities, or issuing certificates with too early expiry dates). This
would be the case with the StartCom serial nu
On 09/01/2016 01:29 PM, Peter Gutmann wrote:
I also get the feeling that a lot of PKI software won't handle the revocation
properly, because they're expecting to revoke *the* certificate, not the
certificate, and the other certificate, and that other one there too, and that
one in the corner, and
On 09/01/2016 11:52 AM, Nick Lamb wrote:
On Thursday, 1 September 2016 08:54:16 UTC+1, Eddy Nigg wrote:
Not so, rather according to my assessment, the cost and everything it
entailed (including other risks) to fix that particular issue outweighed
the benefits for having it fixed within a time-f
On 01/09/2016 10:52, Nick Lamb wrote:
On Thursday, 1 September 2016 08:54:16 UTC+1, Eddy Nigg wrote:
Not so, rather according to my assessment, the cost and everything it
entailed (including other risks) to fix that particular issue outweighed
the benefits for having it fixed within a time-fram
The ballot on this started today
> On Sep 1, 2016, at 7:21 AM, Kurt Roeckx wrote:
>
>> On 2016-09-01 14:21, Matt Palmer wrote:
>>> On Thu, Sep 01, 2016 at 10:53:36AM +0300, Eddy Nigg wrote:
On 09/01/2016 04:20 AM, Matt Palmer wrote:
You were knowingly violating a MUST provision of RFC5
On 2016-09-01 14:21, Matt Palmer wrote:
On Thu, Sep 01, 2016 at 10:53:36AM +0300, Eddy Nigg wrote:
On 09/01/2016 04:20 AM, Matt Palmer wrote:
You were knowingly violating a MUST provision of RFC5280.
From experience there have been many RFC violations, sometimes even
knowingly and intentional
On Thu, Sep 1, 2016 at 6:35 AM, Rob Stradling
wrote:
> On 01/09/16 11:29, Peter Gutmann wrote:
>
>> Rob Stradling writes:
>>
>> I guess it makes them easy to revoke, if a single revocation can kill 313
certs at once.
>>>
>>> That's true.
>>>
>>
>> Hey, WoSign has solved the CRL scalabi
On Thu, Sep 01, 2016 at 10:53:36AM +0300, Eddy Nigg wrote:
> On 09/01/2016 04:20 AM, Matt Palmer wrote:
> >You were knowingly violating a MUST provision of RFC5280.
>
> From experience there have been many RFC violations, sometimes even
> knowingly and intentionally by software vendors (browsers),
On 01/09/16 11:29, Peter Gutmann wrote:
Rob Stradling writes:
I guess it makes them easy to revoke, if a single revocation can kill 313
certs at once.
That's true.
Hey, WoSign has solved the CRL scalability problem!
If WoSign have discovered a way to know, at time of issuance, that a
ce
Rob Stradling writes:
>>I guess it makes them easy to revoke, if a single revocation can kill 313
>>certs at once.
>
>That's true.
Hey, WoSign has solved the CRL scalability problem!
>It'd be impossible to revoke (via CRL and/or OCSP) a subset of those 313
>certs though.
I also get the feeli
On 01/09/16 11:18, Peter Gutmann wrote:
Rob Stradling writes:
https://crt.sh/?serial=056d1570da645bf6b44c0a7077cc6769&iCAID=1662 says
"Not Revoked" three times. I wonder if that's causing some confusion here.
Just to make sure I'm not misreading this in some way, is this really saying
there
Rob Stradling writes:
>https://crt.sh/?serial=056d1570da645bf6b44c0a7077cc6769&iCAID=1662 says
>"Not Revoked" three times. I wonder if that's causing some confusion here.
Just to make sure I'm not misreading this in some way, is this really saying
there are 313 certs issued all with the same se
rd
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Patrick T
Sent: Thursday, September 1, 2016 5:07 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Reuse of serial numbers by StartCom
On We
-security-pol...@lists.mozilla.org
Subject: Re: Reuse of serial numbers by StartCom
On Wednesday, 31 August 2016 17:57:41 UTC+1, Eddy Nigg wrote:
> On 08/31/2016 03:19 PM, Matt Palmer wrote:
> > That bug appears to pre-date *all* of the certificates listed above.
> > Further, the last c
On Wednesday, 31 August 2016 17:57:41 UTC+1, Eddy Nigg wrote:
> On 08/31/2016 03:19 PM, Matt Palmer wrote:
> > That bug appears to pre-date *all* of the certificates listed above.
> > Further, the last communication on that bug (2014-09-22), from Eddy
> > Nigg (of StartCom), said:
> >> It's a ha
On Thursday, 1 September 2016 08:54:16 UTC+1, Eddy Nigg wrote:
> Not so, rather according to my assessment, the cost and everything it
> entailed (including other risks) to fix that particular issue outweighed
> the benefits for having it fixed within a time-frame shorter than that.
It seems to
On 09/01/2016 04:20 AM, Matt Palmer wrote:
That sounds an awful lot like "we can't fix our own systems", which is
a... terrifying thought.
Not so, rather according to my assessment, the cost and everything it
entailed (including other risks) to fix that particular issue outweighed
the benefi
On Wed, Aug 31, 2016 at 07:57:02PM +0300, Eddy Nigg wrote:
> On 08/31/2016 03:19 PM, Matt Palmer wrote:
> >That bug appears to pre-date *all* of the certificates listed above.
> >Further, the last communication on that bug (2014-09-22), from Eddy Nigg
> >(of StartCom), said:
> >>It's a hard and sof
On 08/31/2016 03:19 PM, Matt Palmer wrote:
That bug appears to pre-date *all* of the certificates listed above.
Further, the last communication on that bug (2014-09-22), from Eddy
Nigg (of StartCom), said:
It's a hard and software related capacity issue of the queue managing the
certificates an
On Wed, Aug 31, 2016 at 09:29:20AM +0200, Kurt Roeckx wrote:
> On 2016-08-31 04:56, Peter Bowen wrote:
> >In reviewing the Certificate Transparency logs, I noticed the StartCom
> >has issued multiple certificates with identical serial numbers and
> >identical issuer names.
> >
> >https://crt.sh/?se
On 2016-08-31 04:56, Peter Bowen wrote:
In reviewing the Certificate Transparency logs, I noticed the StartCom
has issued multiple certificates with identical serial numbers and
identical issuer names.
https://crt.sh/?serial=14DCA8 (2014-12-07)
https://crt.sh/?serial=04FF5D653668DB (2015-01-05)
On 08/31/2016 05:56 AM, Peter Bowen wrote:
In reviewing the Certificate Transparency logs, I noticed the StartCom
has issued multiple certificates with identical serial numbers and
identical issuer names.
https://crt.sh/?serial=14DCA8 (2014-12-07)
https://crt.sh/?serial=04FF5D653668DB (2015-01-0
30 matches
Mail list logo