Re: Nation State MITM CA's ?

2019-07-22 Thread Han Yuwei via dev-security-policy
在 2016年1月7日星期四 UTC+8上午7:08:10,Paul Wouters写道: > As was in the news before, Kazakhstan has issued a national MITM > Certificate Agency. > > Is there a policy on what to do with these? While they are not trusted, > would it be useful to explicitely blacklist these, as to make it > impossible to

Re: Does Heartbleed count for the purposes of BR 4.9.1.1 point 11? ("proven or demonstrated method")

2019-05-27 Thread Han Yuwei via dev-security-policy
在 2019年5月27日星期一 UTC+8上午10:05:25,Matt Palmer写道: > On Sun, May 26, 2019 at 06:57:08PM -0700, Han Yuwei via dev-security-policy > wrote: > > If malloc() is correctly implemented, private keys are secure from > > Heartbleed. So > > I think it doesn't meet the criteria. &g

Re: Does Heartbleed count for the purposes of BR 4.9.11 point 11? ("proven or demonstrated method")

2019-05-26 Thread Han Yuwei via dev-security-policy
If malloc() is correctly implemented, private keys are secure from Heartbleed. So I think it doesn't meet the criteria. CAs can't revoke a certificate without noticing subscriber in advance. But if any bugs found in future which can retrieve private keys from TLS endpoints, you can just use

Re: CAA record checking issue

2019-05-11 Thread Han Yuwei via dev-security-policy
This raised a question: How can CA prove they have done CAA checks or not at the time of issue? 在 2019年5月10日星期五 UTC+8上午10:05:36,Jeremy Rowley写道: > FYI, we posted this today: > > > > https://bugzilla.mozilla.org/show_bug.cgi?id=1550645 > > > > Basically we discovered an issue with our

Re: Reported Digicert key compromise but not revoked

2019-05-11 Thread Han Yuwei via dev-security-policy
Thanks for that. So now I should send another email to rev...@digicert.com or just wait for revocation? And who should I contact if this address doesn't work? 在 2019年5月10日星期五 UTC+8上午8:26:09,Jeremy Rowley写道: > No argument from me there. We generally act on them no matter what. > Typically any

Reported Digicert key compromise but not revoked

2019-05-09 Thread Han Yuwei via dev-security-policy
Hi m.d.s.p I have reported a key compromise incident to digicert by contacting support(at)digicert.com at Apr.13, 2019 and get replied at same day. But it seems like this certificate is still valid. This certificate is a code signing certificate and known for signing malware. So I am here to

Found something I can't understand in these cerificates.

2017-08-01 Thread Han Yuwei via dev-security-policy
https://crt.sh/?id=7040227 https://crt.sh/?id=30328289 I am confused for those reasons. 1. the CN of two cerificates are same. So it is not necessary to issue two certificates in just 2 minutes. 2. second one used SHA1, though is consistent with BR, but first one used SHA256. 3. first one has

Find a 5-year certificate

2017-05-09 Thread Han Yuwei via dev-security-policy
I have found this: https://crt.sh/?id=6885329 I don't know whether Mozilla had allowed the certificate valid more than 39 months, so I am here to verify it. I have searched on Github but found nothing. ___ dev-security-policy mailing list

Policy 2.5 Proposal: Indicate direction of travel with respect to permitted domain validation methods

2017-05-03 Thread Han Yuwei via dev-security-policy
A question:How would a domain holder express denial for certain certificate requests? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Symantec: Draft Proposal

2017-05-03 Thread Han Yuwei via dev-security-policy
So Mozilla think Symantec's issues are on t serious enough to lose trust entirely? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy