date:20190129

Re: Incorrect OCSP status for revoked intermediates

2019-01-29 Thread Wayne Thayer via dev-security-policy

Thanks Corey and Ben. This issue does appear to have been resolved. I've
created a bug requesting an incident report:
https://bugzilla.mozilla.org/show_bug.cgi?id=1523676

- Wayne

On Sun, Jan 27, 2019 at 5:48 PM Ben Wilson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> We believe this issue has been fixed.
> 
> From: Ben Wilson
> Sent: Sunday, January 27, 2019 2:22:45 PM
> To: Corey Bonnell; mozilla-dev-security-pol...@lists.mozilla.org
> Subject: RE: Incorrect OCSP status for revoked intermediates
>
> Thanks, Corey.  As I said, we'll try to get this resolved as soon as
> possible and file an incident report.
>
> -Original Message-
> From: dev-security-policy 
> On
> Behalf Of Corey Bonnell via dev-security-policy
> Sent: Sunday, January 27, 2019 2:21 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Incorrect OCSP status for revoked intermediates
>
> On Sunday, January 27, 2019 at 4:09:44 PM UTC-5, Ben Wilson wrote:
> > I'll look into this immediate, but have you checked to see whether
> > these certificates have OCSP AIAs in them?  Or did you find these by
> > searching our CRLs.
> >
> > -Original Message-
> > From: dev-security-policy
> >  On Behalf Of Corey
> > Bonnell via dev-security-policy
> > Sent: Sunday, January 27, 2019 8:50 AM
> > To: mozilla-dev-security-pol...@lists.mozilla.org
> > Subject: Incorrect OCSP status for revoked intermediates
> >
> > Hello,
> > I discovered that the following Baltimore CyberTrust Root-chained
> > intermediates are disclosed in CCADB and are revoked via CRL, but the
> > OCSP responder is returning "good":
> >
> > DigiCert
> > crt.sh URL(s),notBefore,notAfter,subject CN,issuer CN
> > https://clicktime.symantec.com/3GqSUWeMsiuccdDg8FV74mK7Vc?u=https%3A%2
> > F%2Fcr
> > t.sh%2F%3Fid%3D3528065 ,2014-02-12,2021-02-12,Bechtel External Policy
> > CA 1,Baltimore CyberTrust Root
> > https://clicktime.symantec.com/3QitWkthhibn6J3dyv2WjMK7Vc?u=https%3A%2
> > F%2Fcr
> > t.sh%2F%3Fid%3D91478106 ,2014-04-16,2024-04-16,Dell Inc. Enterprise
> > CA,Baltimore CyberTrust Root
> > https://clicktime.symantec.com/3GDackCrAv2JK3LE1ejLmCb7Vc?u=https%3A%2
> > F%2Fcr
> > t.sh%2F%3Fid%3D12625621 ,2014-04-16,2024-04-16,Dell Inc. Enterprise
> > CA,Baltimore CyberTrust Root
> > https://clicktime.symantec.com/3CPUS2fftSKXmYYJpwrxa997Vc?u=https%3A%2
> > F%2Fcr
> > t.sh%2F%3Fid%3D91478107 ,2014-04-16,2024-04-16,Dell Inc. Enterprise
> > CA,Baltimore CyberTrust Root
> > https://clicktime.symantec.com/34vSegkxwLnEhzzA2c8n23e7Vc?u=https%3A%2
> > F%2Fcr
> > t.sh%2F%3Fid%3D12620974 ,2014-09-10,2024-09-10,Dell Inc. Enterprise
> > CA,Baltimore CyberTrust Root
> > https://clicktime.symantec.com/32GsGFkYLsck8uJmXJc9Ky17Vc?u=https%3A%2
> > F%2Fcr
> > t.sh%2F%3Fid%3D6906659 ,2015-03-03,2022-03-03,ABB Intermediate CA
> > 3,Baltimore CyberTrust Root
> > https://clicktime.symantec.com/3Gbhskg8uybb9uykbTxfo1h7Vc?u=https%3A%2
> > F%2Fcr
> > t.sh%2F%3Fid%3D6976985 ,2015-03-18,2022-03-18,Bechtel External Policy
> > CA 1,Baltimore CyberTrust Root
> > https://clicktime.symantec.com/3QaVKssB27cqRnuH6nnqUrX7Vc?u=https%3A%2
> > F%2Fcr
> > t.sh%2F%3Fid%3D35335507 ,2015-05-21,2022-05-21,ABB Intermediate CA
> > 3,Baltimore CyberTrust Root
> > https://clicktime.symantec.com/3TjvAB1yvCCo15dr1ecGvbd7Vc?u=https%3A%2
> > F%2Fcr
> > t.sh%2F%3Fid%3D78292184 ,2016-11-30,2020-11-30,Eurida Primary
> > CA,Baltimore CyberTrust Root
> >
> > Given that software may rely on OCSP responses for revocation checking
> > (as opposed to CRLs or some other mechanism), I wanted to notify the
> > Mozilla community of this inconsistent revocation information.
> >
> > Thanks,
> > Corey
> > ___
> > dev-security-policy mailing list
> > dev-security-policy@lists.mozilla.org
> > https://clicktime.symantec.com/3XCAvWmYdPvvFEe9DtH7i3T7Vc?u=https%3A%2
> > F%2Fli sts.mozilla.org%2Flistinfo%2Fdev-security-policy
>
> Hi Ben,
> Yes, I confirmed that all listed certificates have OCSP AIA pointers. You
> can use the crt.sh links and click "Check" in the Revocation table's OCSP
> column to have crt.sh perform the OCSP check for you.
>
> For full disclosure, I found these certificates using Censys.io.
>
> Thanks,
> Corey
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
>
> https://clicktime.symantec.com/3EBy6mM3kSWChPTFEoHeZpq7Vc?u=https%3A%2F%2Fli
> sts.mozilla.org%2Flistinfo%2Fdev-security-policy
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: misissued.com FYI

2019-01-29 Thread Alex Gaynor via dev-security-policy

Great idea:
https://github.com/alex/revocation-tracker/blob/master/backups/2019-01-27.dump

It's a standard postgresql database dump.

Alex

On Mon, Jan 28, 2019 at 11:01 AM Eric Mill  wrote:

> Would you consider tossing the backup in a zip file in an S3 bucket or
> something, and sharing a link for the record here, for others finding this
> in the future?
>
> On Mon, Jan 28, 2019 at 10:05 AM Alex Gaynor via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> Hi All,
>>
>> For anyone using https://misissued.com/ I wanted to provide a quick FYI
>> about some database maintenance. The database was nearing its storage
>> capacity limit, and so I deleted all certificates from it that had expired
>> before 2019. The main consequence of this is that you can't use
>> misissued.com as a complete historical record anymore.
>>
>> I captured a database backup before doing this, so if anyone does want
>> that
>> data, it hasn't been completely lost.
>>
>> Cheers,
>> Alex
>> ___
>> dev-security-policy mailing list
>> dev-security-policy@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-security-policy
>>
>
>
> --
> Eric Mill
> 617-314-0966 | konklone.com | @konklone 
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Odp.: Odp.: Odp.: 46 Certificates issued with BR violations (KIR)

2019-01-29 Thread Kurt Roeckx via dev-security-policy


On 2019-01-29 1:29, Wayne Thayer wrote:

Piotr just filed an incident report on the misissuance that was reported on
18-January: https://bugzilla.mozilla.org/show_bug.cgi?id=1523186


I guess this part is not very clear to me:

> We identified and removed from system the registration policy that
> issued the problematic certificate. The problematic policy template
> was not listed in policies allowed for Certificate Transparency
> logging but contained Signed Certificate Timestamp extension. The
> usage of such policy template should be blocked by the CT
> functionality. We had only one policy in such state.

I could read that as:
1) This certificate was not supposed to be logged in CT
2) The issuing should have been prevented

I assume 2) was meant.


Kurt
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Incorrect OCSP status for revoked intermediates

Re: misissued.com FYI

Re: Odp.: Odp.: Odp.: 46 Certificates issued with BR violations (KIR)

3 matches

Site Navigation

Mail list logo

Footer information