On Wednesday, September 7, 2016 at 3:08:33 AM UTC-7, Richard Wang wrote:
> Hi Gerv, Kathleen and Richard,
>
> This discuss has been lasting two weeks, I think it is time to end it, it
> doesn’t worth to waste everybody’s precious time.
> I make my confession that our system and management do have
On Wednesday, September 7, 2016 at 10:43:34 AM UTC-7, Han Yuwei wrote:
> I raise this question because of the Wosign's incident about high port
> validating. Many CA use email validating such as send a email to
> webmas...@foo.bar, or put a specific file into the root of website.
> What I think i
On Wed, Sep 07, 2016 at 02:08:24PM +0200, Kurt Roeckx wrote:
> On 2016-09-07 13:00, Gervase Markham wrote:
> > Hi Richard,
> >
> > On 07/09/16 11:06, Richard Wang wrote:
> > > This discuss has been lasting two weeks, I think it is time to end
> > > it, it doesn’t worth to waste everybody’s preciou
On Tuesday, September 6, 2016 at 8:28:53 AM UTC-7, Gervase Markham wrote:
> While we try and evaluate contributions to this forum based on their
> content rather than on who posted them, the issue has been raised that
> it is sometimes useful to know where someone is coming from, who they
> represe
I raise this question because of the Wosign's incident about high port
validating. Many CA use email validating such as send a email to
webmas...@foo.bar, or put a specific file into the root of website.
What I think is that this cannot validate *domain* is yours. It just verified
you have the
Richard, why the report does not mention that the list of certs issued using
high port validation is not complete and that you cannot properly find all the
relevant information in your system?
> On 7. 9. 2016, at 4:08, Richard Wang wrote:
>
> We checked our system that this order is finished t
On Tuesday, September 6, 2016 at 10:10:44 PM UTC-4, Richard Wang wrote:
> ... we can't find the info what port is used, our CMS system just record this
> order is validated by website control validation method, not record the used
> port at that time.
>
> Why we can find out other 72 certificate
This certificate was just revoked. Kyle, thanks for bringing this to our
attention - we were able to start work once you posted here at m.d.s.policy.
Kind regards,
Steven Medin
PKI Policy Manager, Symantec Corporation
-Original Message-
From: dev-security-policy
[mailto:dev-security-poli
On 07/09/16 13:52, Rob Stradling wrote:
> Hi Thijs. I agree that this pattern is interesting (and it'd be nice to
> see an explanation), but I'm not convinced that it proves everything you
> think it proves.
Hi Rob,
My digest of Thijs's work (and that of others investigating the same
issues) is
On 07/09/16 15:01, Thijs Alkemade wrote:
> What is suspicious is:
>
> - Twice as many SHA-1 certificates being issued on a specific Sunday in
> December than the daily average that month. (Which also happens to be the
> date on the certificates which I personally got from the StartEncrypt API.)
On 07 Sep 2016, at 14:52, Rob Stradling wrote:
>
> On 06/09/16 19:12, Thijs Alkemade wrote:
>
>> Hello,
>>
>> We obtained 2 certificates from the StartEncrypt API which had SHA-1
>> signatures and which were backdated to December 20, 2015.
>>
>> After WoSign announced that all certificates is
On 06/09/16 19:12, Thijs Alkemade wrote:
> Hello,
>
> We obtained 2 certificates from the StartEncrypt API which had SHA-1
> signatures and which were backdated to December 20, 2015.
>
> After WoSign announced that all certificates issued in 2015 were logged to
> their Certificate Transparency
We posted all 2015 certificates, total 109,405
We almost finished 2016 certificates, till now, 129,426, not finished.
All 392 cert is not from one serial number, it is from several serial numbers.
Regards,
Richard
> On 7 Sep 2016, at 20:07, Kurt Roeckx wrote:
>
>> On 2016-09-07 13:00, Gerva
On 2016-09-07 13:00, Gervase Markham wrote:
Hi Richard,
On 07/09/16 11:06, Richard Wang wrote:
This discuss has been lasting two weeks, I think it is time to end
it, it doesn’t worth to waste everybody’s precious time.
Unfortunately, I think we may be only beginning.
I have prepared a list o
On 07/09/16 12:14, Richard Wang wrote:
> By the way, the link you used in the page to our report is not correct.
Fixed; thank you.
Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-s
Got it, thanks.
We will reply to you soon.
By the way, the link you used in the page to our report is not correct.
Regards,
Richard
> On 7 Sep 2016, at 18:58, Gervase Markham wrote:
>
> Hi Richard,
>
>> On 07/09/16 11:06, Richard Wang wrote:
>> This discuss has been lasting two weeks, I think
Hi Richard,
On 07/09/16 11:06, Richard Wang wrote:
> This discuss has been lasting two weeks, I think it is time to end
> it, it doesn’t worth to waste everybody’s precious time.
Unfortunately, I think we may be only beginning.
I have prepared a list of the issues we are tracking with WoSign's
c
Responding to the scenario Jakob described which I agree is likely in outline
Let's Encrypt has seen a number of enquiries about relaxing their rate limits
or granting some sort of exception so that firmware OEMs can use Let's Encrypt
to have their devices self-issue using ACME from a name pool
Hi Gerv, Kathleen and Richard,
This discuss has been lasting two weeks, I think it is time to end it, it
doesn’t worth to waste everybody’s precious time.
I make my confession that our system and management do have some problems which
lead to the misissuance of some certificates. And I am very s
On 06/09/16 11:11, Rob Stradling wrote:
> "UTN - DATACorp SGC" was also cross-certified by the "AddTrust External
> CA Root" root [3], but we revoked the cross-certificates in December
> 2015, invited Mozilla to add them to OneCRL [4] and disclosed them as
> revoked to Salesforce [5]. (I don't kn
See also: https://bugzilla.mozilla.org/show_bug.cgi?id=435013
On 06/09/16 18:55, Paul Wouters wrote:
> On Tue, 6 Sep 2016, Kyle Hamilton wrote:
>
>>> That seems unlikely to me (in that browsers don't really keep a server
>>> cert database).
>>
>> Has that changed? I talked with Dan Veditz (at Mo
Given the specific name in those certificates, and the place where the
private key was seen, I would guess the actual use case is this:
Each router (presumably a SOHO router) contains a DNS server that
responds with its own internal RFC1918 IP address for the name
securelogin.arubanetworks.com an
22 matches
Mail list logo