On 03/23/15 22:47, Richard Barnes wrote:
Dear dev.security.policy,
It has been discovered that an intermediate CA under the CNNIC root has
mis-issued certificates for some Google domains. Full details can be found
in blog posts by Google [0] and Mozilla [1]. We would like to discuss what
On 03/23/15 22:47, Richard Barnes wrote:
Dear dev.security.policy,
It has been discovered that an intermediate CA under the CNNIC root has
mis-issued certificates for some Google domains. Full details can be found
in blog posts by Google [0] and Mozilla [1]. We would like to discuss what
On 10/23/15 08:10, almo...@gmail.com wrote:
> El miércoles, 21 de octubre de 2015, 22:43:15 (UTC+2), Charles Reiss
> escribió:
>> On 10/21/15 19:17, Kathleen Wilson wrote:
>>> FNMT has applied to include the "AC RAIZ FNMT-RCM" root certificate and
>&g
On 10/26/15 15:57, rafa...@gmail.com wrote:
> El miércoles, 21 de octubre de 2015, 22:43:15 (UTC+2), Charles Reiss
> escribió:
>> On 10/21/15 19:17, Kathleen Wilson wrote:
>>
>>
>> What are the apparent subCAs with CNs 'AC FNMT Usuarios'
>> [https://crt
On 10/28/15 21:30, Kathleen Wilson wrote:
> On 10/28/15 2:14 PM, Kathleen Wilson wrote:
>> Google has blogged about this:
>>
>> https://googleonlinesecurity.blogspot.com/2015/10/sustaining-digital-certificate-security.html
>>
>>
>
> All,
>
> We should discuss what actions Mozilla should require
On 11/04/15 00:24, Kathleen Wilson wrote:
> Topic to discuss [1]:
> “(D3) Make the timeline clear about when the audit statements and disclosure
> has
> to happen for new audited/disclosed subCAs.
>
> Section 10 of the Inclusion Policy says:
>
On 12/10/15 20:01, Kathleen Wilson wrote:
> This request is to include the "ComSign Global Root CA" root certificate, and
> enable the Websites and Email trust bits. This root will eventually replace
> the
> "ComSign CA" root certificate that is currently included in NSS, and was
> approved in
On 12/15/15 01:48, Peter Bowen wrote:
> On Mon, Dec 14, 2015 at 5:39 PM, Kathleen Wilson wrote:
>>
>> Another thing to consider in updating the policy is in regards to test
>> certificates versus certificates issued to customers.
>> e.g. Does the disclosure need to happen
On 12/14/15 17:56, Eli Spitzer wrote:
> The SubCA "Comsign Ev SSL CA" is at its initial development stages. It was
> indeed created under "Comsign Global Root CA", but so far we only issued a
> handful of test certificates from it. We have no plans to issue public
> certificates from it at the
On 11/19/15 23:09, Kathleen Wilson wrote:
> By the time version 2.3 of Mozilla’s CA Cert Policy is published, I hope to
> have
> issued a CA Community License to every included CA. Taking that into
> consideration; I propose changing the policy as follows.
>
[snip]
>
> As always, I will
Via censys.io, I found a couple SHA-1 certs with notBefore dates from this year
which chain to root CAs in Mozilla's program:
- https://crt.sh/?id=12089828 -- chains to Baltimore CyberTrust Root [DigiCert]
via subCA "Eurida Primary CA" via subCA "DnB NOR ASA PKI Class G"
Also, the OCSP responder
On 01/19/16 03:37, Charles Reiss wrote:
> On 01/19/16 03:23, Kurt Roeckx wrote:
>> On Tue, Jan 19, 2016 at 01:49:21AM +, Charles Reiss wrote:
>>> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this
>>> year
>>> which chain to root CA
On 01/19/16 03:23, Kurt Roeckx wrote:
> On Tue, Jan 19, 2016 at 01:49:21AM +0000, Charles Reiss wrote:
>> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this
>> year
>> which chain to root CAs in Mozilla's program:
>
> I also have some fro
On 02/05/16 20:13, martin.suc...@gmail.com wrote:
> Here's a list of all certificates with SHA-1 signatures and notBefore >=
> 2016-01-01, logged in the Certificate Transparency Log:
> https://crt.sh/?cablint=211=2016-01-01
Some notes on how these look as of now. The listed subCA CNs are:
- DOD
On 02/09/16 01:22, Kathleen Wilson wrote:
> This request is to include the ‘A-Trust-Root-05’ root certificate, turn
> on the Websites trust bit, and enable EV treatment. This new root
> certificate will replace the ‘A-Trust-nQual-03’ root certificate that
> was included via Bugzilla Bug #530797.
On 02/05/16 21:14, Ben Wilson wrote:
> Aren't all of these CA certificates?
The links in the '#' column are to lists of BR-noncompliant
certificates; the links in the 'Issuer Name' column are to information
about the issuing DN+public key of those certificates.
>
> -Original Message-
>
On 02/09/16 20:07, Kathleen Wilson wrote:
> This request by DocuSign (OpenTrust/Keynectis/Certplus) is to include
> the following root certificates, turn on the Websites and Email trust
> bits for all of them, and enable EV treatment for all of them. These new
> certs will eventually replace the
On 01/19/16 01:49, Charles Reiss wrote:
> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this
> year
> which chain to root CAs in Mozilla's program:
[snip]
and even more, from different subCAs than have come up yet:
- https://crt.sh/?id=12501241=cablint --
On 02/23/16 18:57, Gervase Markham wrote:
[snip]
> Symantec may issue certificates to Worldpay if the following things are
> true:
Based on what's happened with MD5 certificates, it seems the main risk
of harm comes from something like a chosen-prefix collision attack using
a specially
On 01/19/16 11:49, Jakob Bohm wrote:
> On 19/01/2016 02:49, Charles Reiss wrote:
>> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this
>> year
>> which chain to root CAs in Mozilla's program:
>>
>> - https://crt.sh/?id=12089828 -- ch
On 02/09/16 20:07, Kathleen Wilson wrote:
> This request by DocuSign (OpenTrust/Keynectis/Certplus) is to include
> the following root certificates, turn on the Websites and Email trust
> bits for all of them, and enable EV treatment for all of them. These new
> certs will eventually replace the
On 02/18/16 21:40, Erwann Abalea wrote:
> Bonsoir,
>
> Le mercredi 10 février 2016 00:15:11 UTC+1, Charles Reiss a écrit :
>> On 02/09/16 20:07, Kathleen Wilson wrote:
>>> This request by DocuSign (OpenTrust/Keynectis/Certplus) is to
>>> include the
On 02/12/16 14:26, Christoph Klein wrote:
> Dear All!
>
> Thank you for contributing in our discussion and illustrate some
> existing problems with our certificates. I would like to address the
> stated points seperatley.
[snip]
> * 20 Bits of Entropy: the Serialnumber included in the Subject of
On 03/15/16 22:43, kwil...@mozilla.com wrote:
> On Monday, March 14, 2016 at 5:28:32 PM UTC-7, Charles Reiss wrote:
>>> ACTION #1a: As previously communicated, CAs should no longer be
>>> issuing SHA-1 certificates chaining up to root certificates
>>> included in Mo
On 03/10/16 23:43, kwil...@mozilla.com wrote:
[snip]
> Regards,
>
> Kathleen Wilson Mozilla CA Program Manager
>
> ACTION #1a: As previously communicated, CAs should no longer be
> issuing SHA-1 certificates chaining up to root certificates included
> in Mozilla's CA Certificate Program. Check
On 03/03/16 19:48, Ryan Sleevi wrote:
> On Thursday, March 3, 2016 at 9:20:07 AM UTC-8, Andrew Ayer wrote:
>> It's also troubling that a CA may be allowed to continue issuing
>> non-serverAuth certs with SHA-1 from an issuer that is also used
>> for serverAuth certs. Again, a collision attack
On 03/30/16 20:53, Jeremy Rowley wrote:
> I think a required move away from SHA1 client certs requires a bit
> more planning.
>
> 1) There hasn't been a formal deprecation of all SHA-1 certificates
> in any root store policy. There has been a formal deprecation by the
> CAB Forum of SHA1 server
On 03/16/16 17:48, kwil...@mozilla.com wrote:
> On Wednesday, March 16, 2016 at 6:03:26 AM UTC-7, Jakob Bohm wrote:
>> On 16/03/2016 00:27, Charles Reiss wrote:
>>> On 03/15/16 22:43, kwilson wrote:
>>>> ACTION #1a: As previously communicated, CAs should n
On 03/22/16 16:33, kwil...@mozilla.com wrote:
> The following 'ACTION #1c' has been added to the communication, which
> is here: https://wiki.mozilla.org/CA:Communications#March_2016 and
> click on "Link to DRAFT of March 2016 CA Communication".
With the current wordings of #1a and #1b, if
- a CA
On 04/13/16 20:32, Kathleen Wilson wrote:
All,
I have added links to reports of the responses to the March 2016 CA
Communication survey:
https://wiki.mozilla.org/CA:Communications#March_2016_Responses
For question 1a, TeliaSonera indicated "2015 Oct 20", but the following
SHA-1 server
On 07/18/2017 11:57 AM, Hanno Böck wrote:
More dotdot-certificates:
[snip]
via searching censys.io:
https://crt.sh/?id=174803642
for *..syntaxafrica.com
Issued by GoDaddy in 2016; expires later this year, but revoked (CRL
timestamp says a few days after issuance)
On 07/17/2017 11:21 AM, Ben Wilson wrote:
Dear Jonathan,
Thank you for bringing this to our attention. We have contacted Intesa
Sanpaolo regarding this error and have asked them to correct it as soon as
possible.
Sincerely yours,
This CA also issued a recent certificate for the unqualified
On 07/19/17 05:10, Aaron Wu wrote:
- Tunisian Server Certificate Authority - TunServerCA2
https://crt.sh/?id=21813439 is a certificate issued by this CA which has
a domain name in the common name but only an email address in the SAN.
(The certificate has TLS server/client usage EKUs.)
On 07/19/2017 06:03 PM, Tom wrote:
Following that discovery, I've search for odd (invalid?) DNS names.
Here is the list of certificated I've found, it may overlap some
discovery already reported.
If I'm correct, theses certificate are not revoked, not expired, and
probably trusted by Mozilla
On 07/19/2017 06:03 PM, Tom wrote:
Following that discovery, I've search for odd (invalid?) DNS names.
Here is the list of certificated I've found, it may overlap some
discovery already reported.
If I'm correct, theses certificate are not revoked, not expired, and
probably trusted by Mozilla
On 07/19/2017 05:10 AM, Aaron Wu wrote:
- Tunisian Server Certificate Authority - TunServerCA2
https://crt.sh/?id=79470561=cablint is a certificate for the
internal name 'adv-mail.calladvance.local' issued by this CA with a
notBefore of 2017.
___
36 matches
Mail list logo