A report regarding this incident has been published on the Let's Encrypt
community site:
https://community.letsencrypt.org/t/2017-09-09-late-weak-key-revocation/42519
The text is copied here:
On July 16, 2017 it was reported to Let’s Encrypt by researcher Hanno Böck that
it was possible to get
On Friday September 8, 2017, at 10:04pm US Pacific time, Let's Encrypt received
a report pointing out a certificate that should not have been issued per CAA
RFC 6844 [1].
When CAA checking became mandatory on September 8, 2017, it only allowed the
CAA checking algorithm specified in RFC 6844. S
On September 8, 2017, Let’s Encrypt received a report from researcher Andrew
Ayer that we accepted an expired DNSSEC RRSIG during certificate issuance. The
RRSIG was very recently expired (< 1hr).
This violates RFC 4033 Section 8.1 [1]:
“The signatures associated with signed zone data are only
Hi Ben,
While I wasn't trying to suggest the reasoning was the same, I was trying
to highlight that for many implementations, the revocation of a single
certificate (where there may exist multiple cross-signs) induces enough
non-determinism to effectively constitute revoking all of them. That is,
Ryan,
Could you please explain what you mean by saying that if you revoke a single
certificate that it is akin to revoking all variations of that certificate?
I don't think I agree. There are situations where the certificate is
revoked for reasons (e.g. issues of certificate format/content) that
On Monday, 18 September 2017 15:50:16 UTC+1, Franck Leroy wrote:
> This control that StartCom was not allowed to use our path was technical in
> place by the fact that I was the only one to have the intermediate cross
> signed certificates, stored (retained) in my personal safe.
I see. Three (g
Le lundi 18 septembre 2017 14:52:27 UTC+2, Ryan Sleevi a écrit :
> On Mon, Sep 18, 2017 at 8:12 AM, Inigo Barreira <>
> wrote:
> Then they misissued a CA certificate and failed to disclose it, and we
> should start an incident report into it.
Hello
In April 2017 the mozilla policy in force (v2.4)
On 11/09/17 12:03, Gervase Markham wrote:
> Thank you for this initial response. It is, however, far less detailed
> than we would like to see.
I have not had any further updates from PROCERT. I have tried to reflect
their responses from this email here:
https://wiki.mozilla.org/CA:PROCERT_Issues
On Mon, Sep 18, 2017 at 8:12 AM, Inigo Barreira
wrote:
>
> We are not seeking to identify personal blame. We are seeking to
> understand what, if any, improvements have been made to address such
> issues. In reading this thread, I have difficulty finding any discussion
> about the steps that Start
On Monday, September 18, 2017 at 11:38:57 AM UTC+1, Inigo Barreira wrote:
> >
> > I want to give you some words from one of the "community side" (this is a
> > personal opinion and may vary from other opinions inside the community).
> >
> > Trust is not something that you get, it is something tha
>
> I want to give you some words from one of the "community side" (this is a
> personal opinion and may vary from other opinions inside the community).
>
> Trust is not something that you get, it is something that you earn.
True
> StartCom was distrusted because of serious issues with their ol
11 matches
Mail list logo