Re: Certificate for com and it

2018-02-08 Thread Ryan Sleevi via dev-security-policy
On Thu, Feb 8, 2018 at 3:14 PM, Hanno Böck via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thu, 8 Feb 2018 15:50:08 + > Gervase Markham via dev-security-policy > wrote: > > > In this case, the certificates are revoked in

Re: Certificate for com and it

2018-02-08 Thread Hanno Böck via dev-security-policy
On Thu, 8 Feb 2018 15:50:08 + Gervase Markham via dev-security-policy wrote: > In this case, the certificates are revoked in Firefox via OneCRL and > Chrome via CRLSets (AIUI) and so the revocations are guaranteed to be > noticed. Hi Gerv, Independent

Re: Certificate for com and it

2018-02-08 Thread Wayne Thayer via dev-security-policy
On Thu, Feb 8, 2018 at 8:54 AM, Rob Stradling via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 08/02/18 15:50, Gervase Markham via dev-security-policy wrote: > >> On 08/02/18 13:47, Hanno Böck wrote: >> >> OneCRL additions normally have an associated bug but I can't

Re: Certificate for com and it

2018-02-08 Thread Rob Stradling via dev-security-policy
On 08/02/18 15:50, Gervase Markham via dev-security-policy wrote: On 08/02/18 13:47, Hanno Böck wrote: Is a revoked intermediate cert a license for operating a yolo CA that signs everything? Given the fragility of revocation checking I'd find that a problematic precedent. In this case, the

Re: Certificate for com and it

2018-02-08 Thread Gervase Markham via dev-security-policy
On 08/02/18 13:47, Hanno Böck wrote: > Is a revoked intermediate cert a license for operating a yolo CA that > signs everything? Given the fragility of revocation checking I'd find > that a problematic precedent. In this case, the certificates are revoked in Firefox via OneCRL and Chrome via

Re: Certificate for com and it

2018-02-08 Thread Hanno Böck via dev-security-policy
Hi, On Tue, 6 Feb 2018 16:56:48 +0100 Kurt Roeckx via dev-security-policy wrote: > I should probably more clear, the certificates of the CA have been > revoked. I'm wondering what that means. Is a revoked intermediate cert a license for operating a yolo

Re: Certificate for com and it

2018-02-06 Thread Kurt Roeckx via dev-security-policy
On 6/02/2018 16:52, Kurt Roeckx wrote: On 6/02/2018 12:20, Hanno Böck wrote: Issuer is "Intesa Sanpaolo CA Servizi Esterni Enhanced", which is a subca of Baltimore Cybertrust, which belongs to Digicert. That certificate is revoked, not trusted by Mozilla or chrome. I should probably more

Re: Certificate for com and it

2018-02-06 Thread Kurt Roeckx via dev-security-policy
On 6/02/2018 12:20, Hanno Böck wrote: Issuer is "Intesa Sanpaolo CA Servizi Esterni Enhanced", which is a subca of Baltimore Cybertrust, which belongs to Digicert. That certificate is revoked, not trusted by Mozilla or chrome. Kurt ___

Certificate for com and it

2018-02-06 Thread Hanno Böck via dev-security-policy
This certificate https://crt.sh/?id=282908507 is issued for the names "com" and "it". It also contains other suspicious hostnames: sip.fideuram sip.consule sip.consultant.fideura I don't think these TLDs exist. Issuer is "Intesa Sanpaolo CA Servizi Esterni Enhanced", which is a subca of