Re: Possible violation of CAA by nazwa.pl

On Wednesday, 25 July 2018 21:08:59 UTC, michel.le...@gmail.com wrote: > Hello, > > My domain registrar who is also a certificate authority just issued a > precertificate (visible in CT logs) and a valid > certificate for my domain. This is part of their new offer to automatically > offer free

Re: 2018.03.12 Let's Encrypt Wildcard Certificate Encoding Issue

Le 15/03/2018 à 20:04, Wayne Thayer a écrit : This incident, and the resulting action to "integrate GlobalSign's certlint and/or zlint into our existing cert-checker pipeline" has been documented in bug 1446080 [1] This is further proof that pre-issuance TBS certificate linting (either by

Re: 2018.03.12 Let's Encrypt Wildcard Certificate Encoding Issue

> During final tests for the general availability of wildcard certificate support, the Let's Encrypt operations team issued six test wildcard certificates under our publicly trusted root: > > https://crt.sh/?id=353759994 > https://crt.sh/?id=353758875 > https://crt.sh/?id=353757861 >

Re: Trustico code injection

> Therefore, it is not unreasonable to assume that this key has been > compromised. So it means that any private keys generated on that website could be compromised: - If any third-party JS were compromised (and we know how insecure js-based ads are - last time it was a crypto miner on

Re: Certificate incident: private key leaked for wildcard certificate for *.sandbox.operations.dynamics.com

It can be confusing even for people following these things. That's where I think collecting problem reporting info from audited sub-CAs in CCADB would help. For everyone else, finding the correct problem reporting information is mostly a matter of luck. Perhaps we should require an email address

Re: Question on CAA processing for mixed wildcard and non-wildcard SAN DNS names

The thing is, extraneous names on a certificate present a subtle security flaw, even if control over those names was validated properly I agree, if the user is not fully aware of these addition, it can add subtle security flaw such as "virtual host confusion attacks" (

Re: Possible future re-application from WoSign (now WoTrus)

Nevertheless, WoTrus is (presumably) a commercial operation. Whoever owns that organization bought or built it with an expectation of at least the possibility of commercial success (profit). The organization's long term success requires inclusion in major root programs. For information,

Re: Certificate with invalid dnsName

Following that discovery, I've search for odd (invalid?) DNS names. Here is the list of certificated I've found, it may overlap some discovery already reported. If I'm correct, theses certificate are not revoked, not expired, and probably trusted by Mozilla (crt.sh issuer are marked trusted by

Re: Certificate with invalid dnsName issued from Baltimore intermediate

The "www..*" search is also intersting, I think: https://crt.sh/?dNSName=www..%25 crt.sh IDLogged At ⇧ Not Before IdentityIssuer Name 397448732016-10-02 2012-12-29 www..coinfling.com 386479982016-10-01 2011-03-24

Re: P-521

On 27 June 2017 at 11:44, Alex Gaynor via dev-security-policy wrote: > I'll take the opposite side: let's disallow it before it's use expands :-) > P-521 isn't great, and there's really no value in proliferation of crypto > algorithms, as someone told me: