Re: Certificate issued by D-TRUST SSL Class 3 CA 1 2009 with short SerialNumber

2017-08-17 Thread Alex Gaynor via dev-security-policy
Hi Arno, Tools like https://github.com/alex/ct-tools or https://github.com/grahamedgecombe/ct-submit can be used to manually submit specific certificates to CT logs. Alex On Thu, Aug 17, 2017 at 9:07 AM, Arno Fiedler via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Am

Re: Certificate issued by D-TRUST SSL Class 3 CA 1 2009 with short SerialNumber

2017-08-17 Thread Arno Fiedler via dev-security-policy
Am Montag, 14. August 2017 18:44:59 UTC+2 schrieb Jonathan Rudenberg: > Hi Arno and Martin, > > > On Aug 14, 2017, at 11:44, Arno Fiedler wrote: > > > > Dear Forum, > > > > since the 07-07-2017, all new issued D-TRUST TLS-Certificates have at least > > 64 bits of

Re: Certificate issued by D-TRUST SSL Class 3 CA 1 2009 with short SerialNumber

2017-08-16 Thread Arno Fiedler via dev-security-policy
Am Dienstag, 15. August 2017 16:21:03 UTC+2 schrieb Gervase Markham: > On 14/08/17 16:44, Arno Fiedler wrote: > > fulfilled. On 20-07-17 Mozilla asked D-TRUST for clarification, due > > to the holiday period this message reached us on 07-08-17, AF > > answered on 08-08-17 > > I was going to

Re: Certificate issued by D-TRUST SSL Class 3 CA 1 2009 with short SerialNumber

2017-08-15 Thread Gervase Markham via dev-security-policy
On 14/08/17 16:44, Arno Fiedler wrote: > fulfilled. On 20-07-17 Mozilla asked D-TRUST for clarification, due > to the holiday period this message reached us on 07-08-17, AF > answered on 08-08-17 I was going to complain about this but, re-reviewing the CCADB Common Policy[0], it says:

Re: Certificate issued by D-TRUST SSL Class 3 CA 1 2009 with short SerialNumber

2017-08-14 Thread Eric Mill via dev-security-policy
Hi Arno, Martin, On Mon, Aug 14, 2017 at 11:37 AM, Arno Fiedler via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > As result we confirm to do the following steps and report about the > implementation latest until 15-09-2017 > • Contact all effected customers, inform

Re: Certificate issued by D-TRUST SSL Class 3 CA 1 2009 with short SerialNumber

2017-08-14 Thread Jonathan Rudenberg via dev-security-policy
Hi Arno and Martin, > On Aug 14, 2017, at 11:44, Arno Fiedler wrote: > > Dear Forum, > > since the 07-07-2017, all new issued D-TRUST TLS-Certificates have at least > 64 bits of entropy in the serial number. > > Since 01-12-2016 D-TRUST TLS certificates requested

Re: Certificate issued by D-TRUST SSL Class 3 CA 1 2009 with short SerialNumber

2017-08-14 Thread Arno Fiedler via dev-security-policy
Dear Forum, since the 07-07-2017, all new issued D-TRUST TLS-Certificates have at least 64 bits of entropy in the serial number. Since 01-12-2016 D-TRUST TLS certificates requested via our enterprise platform have a serial number which includes at least 64 bits of entropy. We informed the

Re: Certificate issued by D-TRUST SSL Class 3 CA 1 2009 with short SerialNumber

2017-08-14 Thread Arno Fiedler via dev-security-policy
Dear Forum, since the 07-07-2017, all new issued D-TRUST TLS-Certificates have at least 64 bits of entropy in the serial number. Since 01-12-2016 D-TRUST TLS certificates requested via our enterprise platform have a serial number which includes at least 64 bits of entropy. We informed the

Re: Certificate issued by D-TRUST SSL Class 3 CA 1 2009 with short SerialNumber

2017-08-10 Thread Arno Fiedler via dev-security-policy
ity-pol...@lists.mozilla.org Betreff: Re: Certificate issued by D-TRUST SSL Class 3 CA 1 2009 with short SerialNumber On Aug 8, 2017, at 08:58, Fiedler, Arno via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: Dear Mozilla Security Policy Community, Thanks for the advic

Re: Certificate issued by D-TRUST SSL Class 3 CA 1 2009 with short SerialNumber

2017-08-10 Thread Jonathan Rudenberg via dev-security-policy
> On Aug 10, 2017, at 07:55, Fiedler, Arno via dev-security-policy > wrote: > > Hello Jonathan, > > the certificate has 64 bits of entropy in the "DNqualifier" field instead of > the serial number field. > > Since 2012 we used this way of adding

Re: Certificate issued by D-TRUST SSL Class 3 CA 1 2009 with short SerialNumber

2017-08-10 Thread Ryan Sleevi via dev-security-policy
en oder Kopieren dieser Mail > nicht gestattet ist. Wenn Sie diese Mail irrtümlicherweise erhalten haben, > informieren Sie uns bitte schnellstmöglich und löschen Sie bitte die Mail. > > > -Ursprüngliche Nachricht- > Von: Jonathan Rudenberg [mailto:jonat...@titanous.co

Re: Certificate issued by D-TRUST SSL Class 3 CA 1 2009 with short SerialNumber

2017-08-10 Thread Arno Fiedler via dev-security-policy
Hello Jonathan, this certificate has 64 bits of entropy in the "DNqualifier" field instead of the serial number field. Since 2012 we used this way of adding random bits to certificates to mitigate preimage attacks. From a security perspective the amount of Entropy in the certificate should

Re: Certificate issued by D-TRUST SSL Class 3 CA 1 2009 with short SerialNumber

2017-08-08 Thread Jonathan Rudenberg via dev-security-policy
> On Aug 8, 2017, at 08:58, Fiedler, Arno via dev-security-policy > wrote: > > Dear Mozilla Security Policy Community, > > Thanks for the advice about the short serial numbers and apologies for the > delayed response. > > Since 2016, all D-TRUST TLS