Re: SHA-1 serverAuth cert issued by Trustis in November 2016

2017-04-24 Thread Gervase Markham via dev-security-policy
Hi Blake, On 21/04/17 16:55, blake.mor...@trustis.com wrote: > Following further discussion with, and guidance from Mozilla, it has > been determined that the getset.trustis.com certificate issued in > November 2016 was a mis-issuance. This incident has highlighted an > ambiguity arising from

Re: SHA-1 serverAuth cert issued by Trustis in November 2016

2017-04-21 Thread blake.morgan--- via dev-security-policy
On Thursday, March 16, 2017 at 11:00:51 AM UTC, Gervase Markham wrote: > Hi Blake, > > On 02/03/17 16:26, blake morgan wrote: > > We have engaged with our external auditors in relation to this and the > > previous certificate that was reported. Once that activity has concluded we > > will be

Re: SHA-1 serverAuth cert issued by Trustis in November 2016

2017-04-13 Thread Gervase Markham via dev-security-policy
On 12/04/17 21:39, uri...@gmail.com wrote: > Is there an expectation of a resolution of some sort to this matter? > Also, their most recent audit is apparently overdue (perhaps related to the > SHA-1 mis-issuance?) > >

Re: SHA-1 serverAuth cert issued by Trustis in November 2016

2017-04-12 Thread urijah--- via dev-security-policy
Is there an expectation of a resolution of some sort to this matter? Also, their most recent audit is apparently overdue (perhaps related to the SHA-1 mis-issuance?) https://groups.google.com/d/msg/mozilla.dev.security.policy/IjgFwzGI_H0/-689uFoXBwAJ On Thursday, March 16, 2017 at 7:00:51 AM

Re: SHA-1 serverAuth cert issued by Trustis in November 2016

2017-03-16 Thread Gervase Markham via dev-security-policy
Hi Blake, On 02/03/17 16:26, blake.mor...@trustis.com wrote: > We have engaged with our external auditors in relation to this and the > previous certificate that was reported. Once that activity has concluded we > will be providing further information. Do you have an ETA for this incident

Re: SHA-1 serverAuth cert issued by Trustis in November 2016

2017-03-02 Thread blake.morgan--- via dev-security-policy
On Friday, February 24, 2017 at 11:25:22 PM UTC, Gervase Markham wrote: > On 24/02/17 08:25, Andrew Ayer wrote: > > Below is an unrevoked SHA-1 serverAuth certificate for > > getset.trustis.com issued from this CA with a Not Before date of > > 2016-11-07. > > Blake: you wrote: "As part of the

Re: SHA-1 serverAuth cert issued by Trustis in November 2016

2017-02-24 Thread Gervase Markham via dev-security-policy
On 24/02/17 07:08, blake.mor...@trustis.com wrote: > Certificates for the HMRC SET Service are issued from the SHA-1 “FPS > TT Issuing Authority”, which is now only used for this service. The > replacement server certificate for hmrcset.trustis.com was issued > from the FPS TT IA, via a manual

Re: SHA-1 serverAuth cert issued by Trustis in November 2016

2017-02-24 Thread Andrew Ayer via dev-security-policy
On Fri, 24 Feb 2017 07:08:54 -0800 (PST) "blake.morgan--- via dev-security-policy" wrote: > Trustis has some time ago, migrated all TLS certificate production to > SHA-256 Issuing Authorities. The small number of previously issued > SHA-1 TLS certificates

Re: SHA-1 serverAuth cert issued by Trustis in November 2016

2017-02-24 Thread blake.morgan--- via dev-security-policy
On Monday, February 20, 2017 at 11:50:59 AM UTC, Gervase Markham wrote: > On 16/02/17 18:26, blake.mor...@trustis.com wrote: > > Trustis has now revoked the SHA-1 Certificate for hmrcset.trustis.com > > and replaced it with a SHA-256 Certificate. This status is reflected > > in the latest CRL. >

Re: SHA-1 serverAuth cert issued by Trustis in November 2016

2017-02-20 Thread Gervase Markham via dev-security-policy
On 16/02/17 18:26, blake.mor...@trustis.com wrote: > Trustis has now revoked the SHA-1 Certificate for hmrcset.trustis.com > and replaced it with a SHA-256 Certificate. This status is reflected > in the latest CRL. Hi Blake, We are pleased to hear that, but the detail of your report compares

Re: SHA-1 serverAuth cert issued by Trustis in November 2016

2017-02-16 Thread Eric Mill via dev-security-policy
On Thu, Feb 16, 2017 at 8:26 PM, blake.morgan--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > > Trustis has now revoked the SHA-1 Certificate for hmrcset.trustis.com and > replaced it with a SHA-256 Certificate. This status is reflected in the > latest CRL. >

Re: SHA-1 serverAuth cert issued by Trustis in November 2016

2017-02-16 Thread blake.morgan--- via dev-security-policy
On Wednesday, February 15, 2017 at 10:02:50 PM UTC, Rob Stradling wrote: > This currently unrevoked cert has a SHA-1/RSA signature, the serverAuth > EKU and CN=hmrcset.trustis.com: > https://crt.sh/?id=50773741=cablint > > It lacks the SAN extension, but that doesn't excuse it from the ban on >

Re: SHA-1 serverAuth cert issued by Trustis in November 2016

2017-02-16 Thread Richard Wang via dev-security-policy
Check the SSL Labs test: https://www.ssllabs.com/ssltest/analyze.html?d=hmrcset.trustis.com, rate F that even enabled SSL v2. Best Regards, Richard On 16 Feb 2017, at 19:04, Nick Lamb via dev-security-policy

Re: SHA-1 serverAuth cert issued by Trustis in November 2016

2017-02-16 Thread Nick Lamb via dev-security-policy
On Wednesday, 15 February 2017 22:02:50 UTC, Rob Stradling wrote: > This currently unrevoked cert has a SHA-1/RSA signature, the serverAuth > EKU and CN=hmrcset.trustis.com: > https://crt.sh/?id=50773741=cablint > > It lacks the SAN extension, but that doesn't excuse it from the ban on >

SHA-1 serverAuth cert issued by Trustis in November 2016

2017-02-15 Thread Rob Stradling via dev-security-policy
This currently unrevoked cert has a SHA-1/RSA signature, the serverAuth EKU and CN=hmrcset.trustis.com: https://crt.sh/?id=50773741=cablint It lacks the SAN extension, but that doesn't excuse it from the ban on SHA-1! Its issuer is trusted for serverAuth by Mozilla: