Re: Misissued/Suspicious Symantec Certificates

2017-03-01 Thread Martin Heaps via dev-security-policy
On Tuesday, 28 February 2017 17:45:19 UTC, Santhan Raj wrote: > WebTrust for Certification Authorities , SSL > BaselinewithNetwork Security, Version 2.0,available > at > http://www.webtrust.org/homepage‐documents/item79806.pdf. 404 - File

Re: Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)

2017-03-01 Thread douglas.beattie--- via dev-security-policy
On Wednesday, March 1, 2017 at 8:26:34 AM UTC-5, Peter Kurrasch wrote: > Would it be possible to get a more precise answer other than "in accordance > with"? I am left to assume that in fact no verification was performed because > the previous verification was in the 39 month window. For this

Re: Intermediates Supporting Many EE Certs

2017-03-01 Thread Jakob Bohm via dev-security-policy
On 01/03/2017 12:43, Gervase Markham wrote: On 13/02/17 12:23, Gervase Markham wrote: The GoDaddy situation raises an additional issue. What can be done about the potential future issue (which might happen with any large CA) of the need to untrust a popular intermediate? Suggestions

Re: SHA1 root CA

2017-03-01 Thread Gervase Markham via dev-security-policy
On 01/03/17 10:36, benjaminp...@gmail.com wrote: > screenshot of the error message: http://imgur.com/a/BIQUm That error message will not occur if only the root CA is SHA-1 signed, because Firefox does not check the signatures on root CAs. There must be some other certificate in the chain that

Re: Let's Encrypt appears to issue a certificate for a domain thatdoesn't exist

2017-03-01 Thread Peter Kurrasch via dev-security-policy
What you've stumbled into is the unspoken truth that CA's want to have their cake and eat it too. Specifically, they market themselves and their products under the umbrella of security: "You want to be secure on the Internet, right? We can help you do that!"‎ Then, most all CA's will turn

Re: Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)

2017-03-01 Thread Peter Kurrasch via dev-security-policy
Would it be possible to get a more precise answer other than "in accordance with"? I am left to assume that in fact no verification was performed because the previous verification was in the 39 month window.   Original Message   From: douglas.beattie--- via dev-security-policy Sent: Tuesday,

Re: Intermediates Supporting Many EE Certs

2017-03-01 Thread okaphone.elektronika--- via dev-security-policy
On Wednesday, 1 March 2017 12:44:16 UTC+1, Gervase Markham wrote: > On 13/02/17 12:23, Gervase Markham wrote: > > The GoDaddy situation raises an additional issue. > > > What can be done about the potential future issue (which might happen > > with any large CA) of the need to untrust a

Re: Intermediates Supporting Many EE Certs

2017-03-01 Thread Gervase Markham via dev-security-policy
On 13/02/17 12:23, Gervase Markham wrote: > The GoDaddy situation raises an additional issue. > What can be done about the potential future issue (which might happen > with any large CA) of the need to untrust a popular intermediate? > Suggestions welcome. Reviewing the discussion, I

Re: SHA1 root CA

2017-03-01 Thread Hanno Böck via dev-security-policy
On Wed, 1 Mar 2017 02:36:22 -0800 (PST) benjaminpill--- via dev-security-policy wrote: > when connecting to a webserver > > screenshot of the error message: http://imgur.com/a/BIQUm It would be helpful if you told us which webserver. The error message

Re: SHA1 root CA

2017-03-01 Thread Pascal Ernster via dev-security-policy
[2017-03-01 11:21] benjaminpill--- via dev-security-policy: > so why is Firefox complaining with this error message: > > SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED Check the about:config setting "security.pki.sha1_enforcement_level". Valid values currently range from 0 to 4, with the following

Re: SHA1 root CA

2017-03-01 Thread benjaminpill--- via dev-security-policy
Am Mittwoch, 1. März 2017 11:31:20 UTC+1 schrieb Hanno Böck: > On Wed, 1 Mar 2017 02:21:21 -0800 (PST) > benjaminpill--- via dev-security-policy > wrote: > > > so why is Firefox complaining with this error message: > > > >

Re: SHA1 root CA

2017-03-01 Thread Hanno Böck via dev-security-policy
On Wed, 1 Mar 2017 02:21:21 -0800 (PST) benjaminpill--- via dev-security-policy wrote: > so why is Firefox complaining with this error message: > > SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED Can you be more specific? Where are you seeing that error

Re: SHA1 root CA

2017-03-01 Thread benjaminpill--- via dev-security-policy
Am Mittwoch, 1. März 2017 11:18:48 UTC+1 schrieb Hanno Böck: > On Wed, 1 Mar 2017 00:44:54 -0800 (PST) > benjaminpill--- via dev-security-policy > wrote: > > > are root (Enterprise) CA certificates wich are based on SHA1 handled > > as untrusted by Firefox

Re: SHA1 root CA

2017-03-01 Thread Hanno Böck via dev-security-policy
On Wed, 1 Mar 2017 00:44:54 -0800 (PST) benjaminpill--- via dev-security-policy wrote: > are root (Enterprise) CA certificates wich are based on SHA1 handled > as untrusted by Firefox 51? The end certificate is sign using sha256 > and trusted by a

SHA1 root CA

2017-03-01 Thread benjaminpill--- via dev-security-policy
Hello, are root (Enterprise) CA certificates wich are based on SHA1 handled as untrusted by Firefox 51? The end certificate is sign using sha256 and trusted by a intermidiate ca wich uses also sha256. Only the root ca is based on sha1. Chrome and IE are not complaining about the root cert.