Re: How do you handle mass revocation requests?

2018-03-01 Thread Ryan Sleevi via dev-security-policy
On Thu, Mar 1, 2018 at 10:31 AM, Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thu, 1 Mar 2018 10:51:04 + > Ben Laurie via dev-security-policy > wrote: > > > Seems to me that signing something that has nothing to

Re: How do you handle mass revocation requests?

2018-03-01 Thread Ryan Duff via dev-security-policy
On Thursday, March 1, 2018 at 11:08:58 AM UTC-5, RSTS wrote: > On Thursday, March 1, 2018 at 1:51:16 PM UTC, Michel Gre wrote: > > > I'd postulate there's > > > nothing wrong with Trustico holding the private keys if they were hosting > > > the site or providing CDN services for all of these

Re: How do you handle mass revocation requests?

2018-03-01 Thread RSTS via dev-security-policy
On Thursday, March 1, 2018 at 1:51:16 PM UTC, Michel Gre wrote: > > I'd postulate there's > > nothing wrong with Trustico holding the private keys if they were hosting > > the site or providing CDN services for all of these sites. > > I manage one of the affected domains. I can tell that in no

Re: How do you handle mass revocation requests?

2018-03-01 Thread Nick Lamb via dev-security-policy
On Thu, 1 Mar 2018 10:51:04 + Ben Laurie via dev-security-policy wrote: > Seems to me that signing something that has nothing to do with certs > is a safer option - e.g. sign random string+Subject DN. That does sounds sane, I confess I have not spent

Re: How do you handle mass revocation requests?

2018-03-01 Thread nic.swart--- via dev-security-policy
I agree with Eric, I would call storing the customers private keys (without their knowledge!!) as an immediate compromise and a clear breach of trust. On Thursday, March 1, 2018 at 1:04:54 AM UTC+1, Eric Mill wrote: > Trustico doesn't seem to provide any hosting or CDN services that would > make

RE: How do you handle mass revocation requests?

2018-03-01 Thread Michel Gre via dev-security-policy
> I'd postulate there's > nothing wrong with Trustico holding the private keys if they were hosting > the site or providing CDN services for all of these sites. I manage one of the affected domains. I can tell that in no way does Trustico hosts the site, nor provide us any CDN service. We just

Re: How do you handle mass revocation requests?

2018-03-01 Thread Rob Stradling via dev-security-policy
On 01/03/18 10:51, Ben Laurie via dev-security-policy wrote: On 28 February 2018 at 21:37, Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On Wed, 28 Feb 2018 20:03:51 + Jeremy Rowley via dev-security-policy wrote:

Re: How do you handle mass revocation requests?

2018-03-01 Thread Ben Laurie via dev-security-policy
On 28 February 2018 at 21:37, Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Wed, 28 Feb 2018 20:03:51 + > Jeremy Rowley via dev-security-policy > wrote: > > > The keys were emailed to me. I'm trying to get a

Re: How do you handle mass revocation requests?

2018-03-01 Thread Ben Laurie via dev-security-policy
lt;r...@sleevi.com> > Sent: Wednesday, February 28, 2018 11:58 AM > To: Jeremy Rowley <jeremy.row...@digicert.com> > Cc: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: How do you handle mass revocation requests? > > > > > > > > On Wed,

Re: How do you handle mass revocation requests?

2018-02-28 Thread Eric Mill via dev-security-policy
Trustico doesn't seem to provide any hosting or CDN services that would make use of the private key, nor do they appear to explicitly inform users about the storage of this private key. In their statement, they say they keep the private keys explicitly to perform revocation as necessary:

Re: How do you handle mass revocation requests?

2018-02-28 Thread Matthew Hardeman via dev-security-policy
On Wednesday, February 28, 2018 at 4:44:50 PM UTC-6, Jeremy Rowley wrote: > 1) Not all of the certificates being revoked use the Symantec hierarchy. > There are some certs that use the DigiCert replacement hierarchy. Not many > though. > 2) Sorry my wording was strange. It almost always is. What

RE: How do you handle mass revocation requests?

2018-02-28 Thread Jeremy Rowley via dev-security-policy
ert@lists.mozilla.org> On Behalf Of Matthew Hardeman via dev-security-policy Sent: Wednesday, February 28, 2018 3:23 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: How do you handle mass revocation requests? On Wednesday, February 28, 2018 at 3:55:37 PM UTC-6, Ryan Duff wrote: > &

Re: How do you handle mass revocation requests?

2018-02-28 Thread Ryan Sleevi via dev-security-policy
On Wed, Feb 28, 2018 at 5:23 PM, Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Wednesday, February 28, 2018 at 3:55:37 PM UTC-6, Ryan Duff wrote: > > >From what I've read, it appears the situation here is that Trustico > wanted to revoke all their

Re: How do you handle mass revocation requests?

2018-02-28 Thread Matthew Hardeman via dev-security-policy
On Wednesday, February 28, 2018 at 3:55:37 PM UTC-6, Ryan Duff wrote: > >From what I've read, it appears the situation here is that Trustico wanted > >to revoke all their customer certs from Digicert so they could do a mass > >migration to another CA (which is not a proper reason to revoke).

Re: [cabfpub] How do you handle mass revocation requests?

2018-02-28 Thread Ryan Sleevi via dev-security-policy
.org<mailto:pu > b...@cabforum.org>> > Subject: RE: [cabfpub] How do you handle mass revocation requests? > > Here’s 10 CSRs that people can correlate with the CT logs. I’ll create > another 100 or so to dispel any doubt. > >

Re: How do you handle mass revocation requests?

2018-02-28 Thread Jeremy Rowley via dev-security-policy
bounces+jeremy.rowley=digicert@lists.mozilla.org> On Behalf Of urijah--- via dev-security-policy Sent: Wednesday, February 28, 2018 2:24 PM To: mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: How do you handle mass revoc

Re: How do you handle mass revocation requests?

2018-02-28 Thread Ryan Duff via dev-security-policy
>From what I've read, it appears the situation here is that Trustico wanted to >revoke all their customer certs from Digicert so they could do a mass >migration to another CA (which is not a proper reason to revoke). When asked >for proof by Digicert that the certificates were compromised and

Re: How do you handle mass revocation requests?

2018-02-28 Thread jomo via dev-security-policy
urijah--- via dev-security-policy > Sent: Wednesday, February 28, 2018 2:24 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: How do you handle mass revocation requests? > > Is Trustico's storage of private keys related to this security report from a

Fwd: [cabfpub] How do you handle mass revocation requests?

2018-02-28 Thread Jeremy Rowley via dev-security-policy
gt;, Geoff Keating <geo...@apple.com<mailto:geo...@apple.com>> Cc: CA/Browser Forum Public Discussion List <pub...@cabforum.org<mailto:pub...@cabforum.org>> Subject: RE: [cabfpub] How do you handle mass revocation requests? Here’s 10 CSRs that people can correlate with the C

RE: How do you handle mass revocation requests?

2018-02-28 Thread Jeremy Rowley via dev-security-policy
Subject: Re: How do you handle mass revocation requests? On Wed, 28 Feb 2018 20:03:51 + Jeremy Rowley via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > The keys were emailed to me. I'm trying to get a project together > where we self-sign a cert with each

RE: How do you handle mass revocation requests?

2018-02-28 Thread Jeremy Rowley via dev-security-policy
Message- From: dev-security-policy <dev-security-policy-bounces+jeremy.rowley=digicert@lists.mozilla.org> On Behalf Of urijah--- via dev-security-policy Sent: Wednesday, February 28, 2018 2:24 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: How do you handle mass revo

Re: How do you handle mass revocation requests?

2018-02-28 Thread Ryan Sleevi via dev-security-policy
On Wed, Feb 28, 2018 at 4:23 PM, urijah--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Is Trustico's storage of private keys related to this security report from > a few months back (which did not appear to ever have been fully > investigated...)? > It was fully

Re: How do you handle mass revocation requests?

2018-02-28 Thread Nick Lamb via dev-security-policy
On Wed, 28 Feb 2018 20:03:51 + Jeremy Rowley via dev-security-policy wrote: > The keys were emailed to me. I'm trying to get a project together > where we self-sign a cert with each of the keys and publish them. > That way there's evidence to the

Re: How do you handle mass revocation requests?

2018-02-28 Thread urijah--- via dev-security-policy
Is Trustico's storage of private keys related to this security report from a few months back (which did not appear to ever have been fully investigated...)? https://groups.google.com/d/msg/mozilla.dev.security.policy/CEww8w9q2zE/F_bzX1guCQAJ Does Digicert have (or will it have) some sort of

RE: How do you handle mass revocation requests?

2018-02-28 Thread kevin.beaumont--- via dev-security-policy
It’s absolutely incredible that Trustico has 23k private keys, and just attached them to an email. This suggests serious flaws in the CA/reseller relationship. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: How do you handle mass revocation requests?

2018-02-28 Thread Matthew Hardeman via dev-security-policy
Did this whole thing start because someone at Trustico wanted to accelerate the process of getting their resold Symantec certificates reissued under a DigiCert trust path? And somehow some misinformed soul imagined creating a revocation crisis would somehow help achieve that goal without

Re: How do you handle mass revocation requests?

2018-02-28 Thread Matthew Hardeman via dev-security-policy
I would echo Mr. Gaynor's point. While it's perhaps a pedantic distinction, the private keys are definitely compromised now and were the moment that Trustico provided the keys to Digicert, even if Trustico is defined to be the original authorized recipient. The CA is explicitly not to be in

Re: How do you handle mass revocation requests?

2018-02-28 Thread Ryan Hurst via dev-security-policy
On Wednesday, February 28, 2018 at 11:56:04 AM UTC-8, Ryan Sleevi wrote: > Assuming Trustico sent the keys to DigiCert, it definitely sounds like even > if Trustico was authorized to hold the keys (which is a troubling argument, > given all things), they themselves compromised the keys of their

RE: How do you handle mass revocation requests?

2018-02-28 Thread Jeremy Rowley via dev-security-policy
12:38 PM To: Wayne Thayer <wtha...@mozilla.com> Cc: timx84...@gmail.com; mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: How do you handle mass revocation requests? On Wed, Feb 28, 2018 at 11:29 AM, Wayne Thayer via dev-security-policy &l

Re: How do you handle mass revocation requests?

2018-02-28 Thread Ryan Sleevi via dev-security-policy
On Wed, Feb 28, 2018 at 2:40 PM, Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > The end user agreed to the subscriber agreement, not Trustico. Our > analysis follows what Peter B. posted – the subscriber is the “natural > person or Legal Entity to whom a

RE: How do you handle mass revocation requests?

2018-02-28 Thread Jeremy Rowley via dev-security-policy
t: Re: How do you handle mass revocation requests? On Wed, Feb 28, 2018 at 12:37 PM, Jeremy Rowley via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> > wrote: On February 2nd, 2018, we received a request fro

Re: How do you handle mass revocation requests?

2018-02-28 Thread Peter Bowen via dev-security-policy
On Wed, Feb 28, 2018 at 11:29 AM, Wayne Thayer via dev-security-policy wrote: > On Wed, Feb 28, 2018 at 12:13 PM, timx84039--- via dev-security-policy > wrote: > >> >> Regarding to our investigation they were only

Re: How do you handle mass revocation requests?

2018-02-28 Thread Alex Gaynor via dev-security-policy
I would say that at the point that Trustico emailed them to DigiCert they necessarily became compromised -- while Trustico may (or may not) have been authorized to escrowing the keys by the subscriber, the subscriber did not authorize them to be emailed around, presumably. Alex On Wed, Feb 28,

Re: How do you handle mass revocation requests?

2018-02-28 Thread Wayne Thayer via dev-security-policy
On Wed, Feb 28, 2018 at 12:13 PM, timx84039--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Regarding to our investigation they were only able to send the private > keys for those certificates where the CSR / private key pair were generated > within their online

RE: How do you handle mass revocation requests?

2018-02-28 Thread Jeremy Rowley via dev-security-policy
Bowen <pzbo...@gmail.com> Sent: Wednesday, February 28, 2018 12:14 PM To: Jeremy Rowley <jeremy.row...@digicert.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: How do you handle mass revocation requests? On Wed, Feb 28, 2018 at 9:37 AM, Jeremy Rowley via dev-security-

RE: How do you handle mass revocation requests?

2018-02-28 Thread John Merrill via dev-security-policy
To: google.mana...@trustico.com; mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: How do you handle mass revocation requests? I believe transparency is the best policy. I think it'd be helpful to the community if we could post the email exchange about the revocation. We can redact

RE: How do you handle mass revocation requests?

2018-02-28 Thread Jeremy Rowley via dev-security-policy
la.org Subject: How do you handle mass revocation requests? Jeremy, Today many of our customers experienced lengthy delays when attempting to contact us via phone, e-mail and live chat. The reason for the delays were due to an unexpected e-mail that DigiCert sent to our customers containin

Re: How do you handle mass revocation requests?

2018-02-28 Thread timx84039--- via dev-security-policy
We have purchased thousands of certificates using Trustico as a reseller within the last years. Back in these days Trustico created CSR / Private Key pair within their online platform (Yes, you read it right - you can create CSR/Private Key on their webpage !!!) which was the default at this

Re: How do you handle mass revocation requests?

2018-02-28 Thread Peter Bowen via dev-security-policy
On Wed, Feb 28, 2018 at 9:37 AM, Jeremy Rowley via dev-security-policy wrote: > Once we were alerted, the team kicked > off a debate that I wanted to bring to the CAB Forum. Basically, our > position is that resellers do not constitute subscribers under the

Re: How do you handle mass revocation requests?

2018-02-28 Thread Ryan Sleevi via dev-security-policy
On Wed, Feb 28, 2018 at 12:37 PM, Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On February 2nd, 2018, we received a request from Trustico to mass revoke > all certificates that had been ordered by end users through Trustico. > Unfortunately, the email

How do you handle mass revocation requests?

2018-02-28 Thread google.manager--- via dev-security-policy
Jeremy, Today many of our customers experienced lengthy delays when attempting to contact us via phone, e-mail and live chat. The reason for the delays were due to an unexpected e-mail that DigiCert sent to our customers containing some inaccurate information. We were not informed that the

Re: How do you handle mass revocation requests?

2018-02-28 Thread Nick Lamb via dev-security-policy
On Wed, 28 Feb 2018 17:37:25 + Jeremy Rowley via dev-security-policy wrote: > Hi everyone, > On February 2nd, 2018, we received a request from Trustico to mass > revoke all certificates that had been ordered by end users through > Trustico. Is this

Re: How do you handle mass revocation requests?

2018-02-28 Thread Tom Ritter via dev-security-policy
On 28 February 2018 at 11:37, Jeremy Rowley via dev-security-policy wrote: > What kind of transparency would the Mozilla community like around this > issue? There aren't many more facts than I shared above, but there is a lot > of speculation. Let me know

How do you handle mass revocation requests?

2018-02-28 Thread Jeremy Rowley via dev-security-policy
Hi everyone, I wanted to share an incident report regarding the revocation of certain certificates ordered through a reseller. On February 2nd, 2018, we received a request from Trustico to mass revoke all certificates that had been ordered by end users through Trustico. Unfortunately, the