-
From: dev-security-policy On
Behalf Of Jakob Bohm via dev-security-policy
Sent: Monday, April 15, 2019 4:58 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Arabtec Holding public key? [Weird Digicert issued cert]
Thanks for the explanation.
Is it possible
According to Jeremy (see below), that was not the situation.
On 15/04/2019 14:09, Man Ho wrote:
I don't think that it's trivial for less-skilled user to obtain the CSR
of "DigiCert Global Root G2" certificate and posting it in the request
of another certificate, right?
On 15-Apr-19 6:57 PM,
gt; On Behalf Of Wayne
>> Thayer via dev-security-policy
>> Sent: Friday, April 12, 2019 10:39 AM
>> To: Jakob Bohm
>> Cc: mozilla-dev-security-policy
>>
>> Subject: Re: Arabtec Holding public key? [Weird Digicert issued cert]
>>
>> It's not clear
-policy
Subject: Re: Arabtec Holding public key? [Weird Digicert issued cert]
It's not clear that there is anything for DigiCert to respond to. Are we
asserting that the existence of this Arabtec certificate is proof that DigiCert
violated section 3.2.1 of their CPS?
- Wayne
On Thu, Apr 11, 2019
On Fri, 12 Apr 2019 16:56:23 +
Jeremy Rowley via dev-security-policy
wrote:
> I don't mind filling in details.
>
> We have a system that permits creation of certificates without a CSR
> that works by extracting the key from an existing cert, validating
> the domain/org information, and
riday, April 12, 2019 10:56 AM
To: Wayne Thayer mailto:wtha...@mozilla.com> >; Jakob
Bohm mailto:jb-mozi...@wisemo.com> >
Cc: mozilla-dev-security-policy mailto:mozilla-dev-security-pol...@lists.mozilla.org> >
Subject: RE: Arabtec Holding public key? [Weird Digicert issu
v-security-policy <
> mozilla-dev-security-pol...@lists.mozilla.org>
> Subject: RE: Arabtec Holding public key? [Weird Digicert issued cert]
>
> I don't mind filling in details.
>
> We have a system that permits creation of certificates without a CSR that
> works by
To: Wayne Thayer ; Jakob Bohm
Cc: mozilla-dev-security-policy
Subject: RE: Arabtec Holding public key? [Weird Digicert issued cert]
I don't mind filling in details.
We have a system that permits creation of certificates without a CSR that works
by extracting the key from an existing cert
so far).
-Original Message-
From: dev-security-policy On
Behalf Of Wayne Thayer via dev-security-policy
Sent: Friday, April 12, 2019 10:39 AM
To: Jakob Bohm
Cc: mozilla-dev-security-policy
Subject: Re: Arabtec Holding public key? [Weird Digicert issued cert]
It's not clear
It's not clear that there is anything for DigiCert to respond to. Are we
asserting that the existence of this Arabtec certificate is proof that
DigiCert violated section 3.2.1 of their CPS?
- Wayne
On Thu, Apr 11, 2019 at 6:57 PM Jakob Bohm via dev-security-policy <
On 11/04/2019 04:47, Santhan Raj wrote:
On Wednesday, April 10, 2019 at 5:53:45 PM UTC-7, Corey Bonnell wrote:
On Wednesday, April 10, 2019 at 7:41:33 PM UTC-4, Nick Lamb wrote:
(Resending after I typo'd the ML address)
At the risk of further embarrassing myself in the same week, while
True, we don't know their intentions but we can at least assume they would
need private keys to use said certificates with any properly implemented
user agent.
Ryan Hurst
(personal capacity)
On Thu, Apr 11, 2019 at 6:12 PM Peter Gutmann
wrote:
> admin--- via dev-security-policy
> writes:
>
>
admin--- via dev-security-policy writes:
>The risk here, of course, is low in that having a certificate you do not
>control a key for doesn't give you the ability to do anything.
As far as we know. Presumably someone has an interesting (mis)use for it
otherwise they wouldn't have bothered
Unfortunately, the BRs make no stipulation on how Proof of Possession is done
(https://github.com/cabforum/documents/blob/master/docs/BR.md#321-method-to-prove-possession-of-private-key).
Most CAs, in my experience, simply treat the signature on the CSR as sufficient
to demonstrate control of a
在 2019年4月11日星期四 UTC+8上午7:41:33,Nick Lamb写道:
> (Resending after I typo'd the ML address)
>
> At the risk of further embarrassing myself in the same week, while
> working further on mimicking Firefox trust decisions I found this
> pre-certificate for Arabtec Holding PJSC:
>
>
On Wednesday, April 10, 2019 at 5:53:45 PM UTC-7, Corey Bonnell wrote:
> On Wednesday, April 10, 2019 at 7:41:33 PM UTC-4, Nick Lamb wrote:
> > (Resending after I typo'd the ML address)
> >
> > At the risk of further embarrassing myself in the same week, while
> > working further on mimicking
(Resending after I typo'd the ML address)
At the risk of further embarrassing myself in the same week, while
working further on mimicking Firefox trust decisions I found this
pre-certificate for Arabtec Holding PJSC:
https://crt.sh/?id=926433948
Now there's nothing especially strange about this
17 matches
Mail list logo