Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

I think page 8 of their manual at least partially explains how and what "QuickInvite" is. The whole document is rather interesting... https://www.geotrust.com/geocenter/resources/partnercenter-user-guide.pdf On Saturday, April 1, 2017 at 6:01:23 AM UTC-4, Nick Lamb wrote: > On Friday, 31 March 2

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

On Friday, 31 March 2017 17:27:34 UTC+1, tarah.s...@gmail.com wrote: > I'm Tarah. I am the Principal Security Advocate and Senior Director of > Engineering at Symantec Website Security (the certificate authority. Hello Tarah, Regular readers of m.d.s.policy will not be surprised that the news m

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

Hi Daniel, We appreciate your additional input into determining the exact scope of this problem. On 31/03/17 19:37, Daniel Baxter (Aractus) wrote: > With all due respect this reply is the most ridiculous load of > nonsense I've ever read. However, please keep the tone civil. If it's nonsense, de

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

> On Mar 31, 2017, at 6:01 PM, Daniel Baxter via dev-security-policy > wrote: > > On Saturday, April 1, 2017 at 6:27:27 AM UTC+11, Jakob Bohm wrote: >> Oh, come on, if that's her job title, that's her job title, and at any >> CA, that is actually an important job that /someone/ should have. >

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

> > I don't know how to say this any other way - but that's unbelievably > sloppy. That's like saying you'll let your customers email their credit > card numbers to you. You don't put anything that sensitive into an email > address, ever. Any time I get a password emailed to me I change it > immedi

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

On Saturday, April 1, 2017 at 6:51:30 AM UTC+11, Vincent Lynch wrote: > > It is simply a bug, related to an OID included in the certificate. This has > been documented by Chrome > . OK, I'll update that, thanks.

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

On Saturday, April 1, 2017 at 6:27:27 AM UTC+11, Jakob Bohm wrote: > Oh, come on, if that's her job title, that's her job title, and at any > CA, that is actually an important job that /someone/ should have. I meant the content of her reply, not her job title. > Unfortunately, when initially esta

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

On Friday, March 31, 2017 at 4:03:45 PM UTC-7, mono...@gmail.com wrote: > Maybe I'm alone in this but, while entertaining, I'm taken aback a bit if > this is official Symantec communication in a forum like m.d.s.p. I don't do the official Symantec public relations responses. There's a channel fo

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

Maybe I'm alone in this but, while entertaining, I'm taken aback a bit if this is official Symantec communication in a forum like m.d.s.p. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

> > Yeah OK, I got a few things wrong on my blog post, I can fix that shortly. > It's no big deal. At least I'm informing people about security - claiming > that we're just "looking for hits" is ridiculous. Most people pay no > attention to security, I can't speak for others but I'm trying to

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

> > Finally, what have you actually done to address EV revocation? You clearly > didn't bother to tell Commonwealth Bank: > > https://www.commbank.com.au/ > > One of the largest banks in Australia that their EV status would evaporate > in Chrome. So what did you do to inform your customers about th

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

> Yep, but there must have been an API (at some level) for generating or > processing the QuickInvite URL. That was what I was suggesting might > have been the issue. So, it's hard for me to answer this question because I didn't see any POC, but 1) it's not physically possible for private keys

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

On 31/03/2017 19:31, tarah.syman...@gmail.com wrote: On Friday, March 31, 2017 at 9:51:03 AM UTC-7, Jakob Bohm wrote: Dear Tarah, Below some friendly speculation as to what the parts that some bloggers claimed was included (if those claims were somehow true) might have been (i.e. where *you* mi

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

On Friday, March 31, 2017 at 9:51:03 AM UTC-7, Jakob Bohm wrote: > Dear Tarah, > > Below some friendly speculation as to what the parts that some bloggers > claimed was included (if those claims were somehow true) might have > been (i.e. where *you* might look for it in internal Symantec > systems

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

Right. It is then. It says private keys can only be stored with permission of the subscriber and encryption must always be used to transfer them. And of course the certificate must be revoked if/when it becomes known that a private key has gotten to the wrong person. Well... NOT my private key

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.2.pdf Section 6.1.2 On Wed, Mar 29, 2017 at 3:22 AM, okaphone.elektronika--- via dev-security-policy wrote: > Weird. > > I expect there are no requirements for a CA to keep other people's private > keys safe. After all handling tho

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

* Nick Lamb via dev-security-policy: > In order for Symantec to reveal anybody's private keys they'd first > need to have those keys, which is already, IIRC forbidden in the > BRs. I think this requirement was dropped because it makes it unnecessarily difficult to report key compromises. There u

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

Weird. I expect there are no requirements for a CA to keep other people's private keys safe. After all handling those is definitely not part of being a CA. ;-) CU Hans ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://l

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

Nick Lamb via dev-security-policy writes: >In order for Symantec to reveal anybody's private keys they'd first need to >have those keys That's standard practice for many CAs, they generate the key and certificate for you and email it to you as a PKCS #12. It seems to be more common among lesse

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

On Tuesday, March 28, 2017 at 3:46:05 PM UTC-4, Nick Lamb wrote: > In order for Symantec to reveal anybody's private keys they'd first need to > have those keys, which is already, IIRC forbidden in the BRs. So even proof > that Symantec routinely had these keys is a big deal. >From what I can te

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

On Tuesday, March 28, 2017 at 11:08:08 PM UTC-4, uri...@gmail.com wrote: > For what it's worth, this is the latest post on facebook from the researcher. > https://www.facebook.com/cbyrneiv/posts/10155129935452436 > > The private key storage issue sounds like a reseller tool, like > https://www.the