AW: Incident report D-TRUST: syntax error in one tls certificate

2018-11-27 Thread Buschart, Rufus via dev-security-policy 
To simplify the process of monitoring crt.sh, we at Siemens have implemented a 
little web service which directly queries crt.sh DB and returns the errors as 
JSON. By this you don't have to parse HTML files and can directly integrate it 
into your monitoring. Maybe this function is of interest for some other CA:

https://eo0kjkxapi.execute-api.eu-central-1.amazonaws.com/prod/crtsh-monitor?caID=52410=30=false

To monitor your CA, replace the caID with your CA's ID from crt.sh. In case you 
receive an endpoint time-out message, try again, crt.sh DB often returns time 
outs. For more details or function requests, have a look into its GitHub repo: 
https://github.com/RufusJWB/crt.sh-monitor


With best regards,
Rufus Buschart

Siemens AG
Information Technology
Human Resources
PKI / Trustcenter
GS IT HR 7 4
Hugo-Junkers-Str. 9
90411 Nuernberg, Germany 
Tel.: +49 1522 2894134
mailto:rufus.busch...@siemens.com
www.twitter.com/siemens

www.siemens.com/ingenuityforlife

Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann 
Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive 
Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel, Cedrik Neike, 
Michael Sen, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; 
Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; 
WEEE-Reg.-No. DE 23691322

> -Ursprüngliche Nachricht-
> Von: dev-security-policy  Im 
> Auftrag von Enrico Entschew via dev-security-policy
> Gesendet: Dienstag, 27. November 2018 18:17
> An: mozilla-dev-security-pol...@lists.mozilla.org
> Betreff: Re: Incident report D-TRUST: syntax error in one tls certificate
> 
> Am Montag, 26. November 2018 18:34:38 UTC+1 schrieb Jakob Bohm:
> 
> > In addition to this, would you add the following:
> >
> > - Daily checks of crt.sh (or some other existing tool) if  additional
> > such certificates are erroneously issued before  the automated
> > countermeasures are in place?
> 
> Thank you, Jakob. This is what we intended to do. We are monitoring crt.sh at 
> least twice daily every day from now on.
> 
> As to your other point, we do restrict the serial number element and the 
> error occurred precisely in defining the constraints for this
> field. As mentioned above, we plan to make adjustments to our systems to 
> prevent this kind of error in future.
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Incident report D-TRUST: syntax error in one tls certificate

2018-11-27 Thread Enrico Entschew via dev-security-policy 
Am Montag, 26. November 2018 18:34:38 UTC+1 schrieb Jakob Bohm:

> In addition to this, would you add the following:
> 
> - Daily checks of crt.sh (or some other existing tool) if 
>  additional such certificates are erroneously issued before 
>  the automated countermeasures are in place?

Thank you, Jakob. This is what we intended to do. We are monitoring crt.sh at 
least twice daily every day from now on.

As to your other point, we do restrict the serial number element and the error 
occurred precisely in defining the constraints for this field. As mentioned 
above, we plan to make adjustments to our systems to prevent this kind of error 
in future. 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Violation report - Comodo CA certificates revocation delays

2018-11-27 Thread waryde--- via dev-security-policy 
Friday, October 12, 2018 14:28:47 UTC+2 Robin Alden wrote:
> I understand the OP's concern and will respond to the bug shortly.

Given that 45 days passed now, the internal definition of "shortly" used by 
Comodo seems to differ a lot from the common use of the term.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Request to Include emSign Root CA - G1, emSign Root CA - G3, emSign Root CA - C1, and emSign Root CA - C3

2018-11-27 Thread Vijay Kumar via dev-security-policy 
Hi,

Happy to inform the availibility of Period of Time Audit reports. The audit 
reports are dated 08-Oct-2018, and the corresponding Webtrust seals are 
available at https://repository.emsign.com

Links to individual audit reports.

WebTrust CA: https://bugzilla.mozilla.org/attachment.cgi?id=9027883
WebTrust SSL Baseline w Net Sec: 
https://bugzilla.mozilla.org/attachment.cgi?id=9027884
WebTrust EV SSL: https://bugzilla.mozilla.org/attachment.cgi?id=9027885

These attachments are also part of the parent bug ID 1442337.

Regards,
Vijay
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy