Re: Digicert issued certificate with let's encrypts public key
Kurt Roeckx via dev-security-policy writes: >Browsing crt.sh, I found this: https://crt.sh/?id=1902422627 > >It's a certificate for api.pillowz.kz with the public key of Let's Encrypt >Authority X1 and X3 CAs. How could that have been issued? Since a (PKCS #10) request has to be self- signed, does this mean Digicert aren't validating signatures on requests? Peter. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Digicert issued certificate with let's encrypts public key
On Sat, May 16, 2020 at 10:11 AM Kurt Roeckx via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Sat, May 16, 2020 at 10:04:24AM -0400, Andrew Ayer via > dev-security-policy wrote: > > On Sat, 16 May 2020 14:02:42 +0200 > > Kurt Roeckx via dev-security-policy > > wrote: > > > > > https://crt.sh/?id=1902422627 > > > > > > It's a certificate for api.pillowz.kz with the public key of Let's > > > Encrypt Authority X1 and X3 CAs. > > > > > > It's revoked since 2020-01-31, but I couldn't find any incident > > > report related to it. > > > > Hi Kurt, > > > > It's not obvious what's non-compliant about this certificate - could you > > explain? Note that there is no requirement or security need for CAs to > > validate proof of possession of a private key. > > I was under the impression that there was. But looking at the BRs, > 3.2.1 is just empty. Yeah, that’s intentional, at least with regards to server certificates, as it is not necessary for such certificates. As Andrew mentioned, there are no requirements here and it’s not a violation of any expectation, in the Baseline Requirements or in any Root Programs’ policies. > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Digicert issued certificate with let's encrypts public key
On Sat, May 16, 2020 at 10:04:24AM -0400, Andrew Ayer via dev-security-policy wrote: > On Sat, 16 May 2020 14:02:42 +0200 > Kurt Roeckx via dev-security-policy > wrote: > > > https://crt.sh/?id=1902422627 > > > > It's a certificate for api.pillowz.kz with the public key of Let's > > Encrypt Authority X1 and X3 CAs. > > > > It's revoked since 2020-01-31, but I couldn't find any incident > > report related to it. > > Hi Kurt, > > It's not obvious what's non-compliant about this certificate - could you > explain? Note that there is no requirement or security need for CAs to > validate proof of possession of a private key. I was under the impression that there was. But looking at the BRs, 3.2.1 is just empty. Kurt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Digicert issued certificate with let's encrypts public key
On Sat, 16 May 2020 14:02:42 +0200 Kurt Roeckx via dev-security-policy wrote: > https://crt.sh/?id=1902422627 > > It's a certificate for api.pillowz.kz with the public key of Let's > Encrypt Authority X1 and X3 CAs. > > It's revoked since 2020-01-31, but I couldn't find any incident > report related to it. Hi Kurt, It's not obvious what's non-compliant about this certificate - could you explain? Note that there is no requirement or security need for CAs to validate proof of possession of a private key. Therefore, it's entirely acceptable for a subscriber to request a certificate for someone else's public key, although the certificate would be useless to them. Regards, Andrew ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Digicert issued certificate with let's encrypts public key
Hi, Browsing crt.sh, I found this: https://crt.sh/?id=1902422627 It's a certificate for api.pillowz.kz with the public key of Let's Encrypt Authority X1 and X3 CAs. It's revoked since 2020-01-31, but I couldn't find any incident report related to it. Kurt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy