Re: Certificate incident: private key leaked for wildcard certificate for *.sandbox.operations.dynamics.com
On 2017-12-09 at 08:59 -0700, Wayne Thayer wrote: > It can be confusing even for people following these things. That's where I > think collecting problem reporting info from audited sub-CAs in CCADB would > help. > > For everyone else, finding the correct problem reporting information is > mostly a matter of luck. Perhaps we should require an email address be > included in the end-entity certificate? Unless that info was exposed in the > browser, it would still be difficult to find, but at least it would then be > in a consistent location. Rather than an email, I think it should be a url. That could be an email through the use of mailto:, but I suspect CAs will find preferable to provide a web page where they explain what it is for, how to submit, etc. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: New undisclosed intermediates
On 2017-06-08 at 04:31 -0700, richmoore44--- via dev-security-policy wrote: > This one is interesting since the domain name of the CRL resolves to an RFC > 1918 IP address. Surely that is a violation of the baseline requirements. > > https://crt.sh/?sha256=b82210cde9ddea0e14be29af647e4b32f96ed2a9ef1aa5baa9cc64b38b6c01ca > > Regards > > Rich. Nope. The domain name of the CRL (www.cert.fnmt.es.testa.eu) does not resolve to an RFC 1918 IP address. It directly doesn't resolve. 10.0.1.10 is the dns server used by crt.sh ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: New undisclosed intermediates
On 2017-06-08 at 04:31 -0700, richmoore44--- via dev-security-policy wrote: > This one is interesting since the domain name of the CRL resolves to an RFC > 1918 IP address. Surely that is a violation of the baseline requirements. > > https://crt.sh/?sha256=b82210cde9ddea0e14be29af647e4b32f96ed2a9ef1aa5baa9cc64b38b6c01ca > > Regards > > Rich. Nope. The domain name of the CRL (www.cert.fnmt.es.testa.eu) is not resolving to an RFC 1918 IP address. It plainly doesn't resolve. 10.0.1.10 is the dns server used by crt.sh Rafa, can you take a look at this? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
