On 2019-03-04 20:23, Jeremy Rowley via dev-security-policy wrote:
2) Of the 3,000, the only certificate we found where the scope was not set
to be the scope of the WHOIS document was the one reported by Cynthia.
That is good to hear :)
- Cynthia
in-addr.arpa was not blocked.
Thanks!
Jeremy
-Original Message-
From: dev-security-policy On
Behalf Of Cynthia Revström via dev-security-policy
Sent: Saturday, March 2, 2019 1:46 AM
To: George Macon
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Possible DigiCert in-addr.arpa Mis
On 02/03/2019 08:45, Cynthia Revström wrote:
On 2019-03-02 01:49, George Macon via dev-security-policy wrote:
One specific question on this point: Why did the software permit setting
the approval scope to a public suffix (as defined by inclusion on the
public suffix list)? Could validation
On 2019-03-02 01:49, George Macon via dev-security-policy wrote:
One specific question on this point: Why did the software permit setting
the approval scope to a public suffix (as defined by inclusion on the
public suffix list)? Could validation agent action set the approval
scope to some other
On 2/28/19 12:52 AM, Jeremy Rowley wrote:
> 4. The validation agent specified the approval scope as id-addr.arpa which is
> normal for a domain approved by the admin listed in WHOIS. As a constructed
> email, the approval scope should have been limited to the scope set by the
> constructed
Thanks Wayne
From: Wayne Thayer
Sent: Friday, March 1, 2019 10:00 AM
To: Jeremy Rowley
Cc: mozilla-dev-security-policy
Subject: Re: Possible DigiCert in-addr.arpa Mis-issuance
https://bugzilla.mozilla.org/show_bug.cgi?id=1531817 has been created to track
this issue.
On Wed, Feb 27
>
> -Original Message-
> From: dev-security-policy
> On Behalf Of Cynthia Revström via dev-security-policy
> Sent: Tuesday, February 26, 2019 4:17 PM
> To: Matthew Hardeman
> Cc: dev-security-policy@lists.mozilla.org; b...@benjojo.co.uk
> Subject: Re: Possible Digi
On 01/03/2019 01:04, Matthew Hardeman wrote:
> In addition to the GDPR concerns over WHOIS and RDAP data, reliance upon
> these data sources has a crucial differentiation from other domain
> validation methods.
>
> Specifically, the WHOIS/RDAP data sources are entirely "off-path" with
> respect
On Wednesday, February 27, 2019 at 8:54:35 AM UTC-6, Jakob Bohm wrote:
> One hypothetical use would be to secure BGP traffic, as certificates
> with IpAddress SANs are less commonly supported.
The networking / interconnection world has already worked out the trust
hierarchy for the RPKI scheme.
In addition to the GDPR concerns over WHOIS and RDAP data, reliance upon
these data sources has a crucial differentiation from other domain
validation methods.
Specifically, the WHOIS/RDAP data sources are entirely "off-path" with
respect to how a browser will locate and access a given site. To
>
> I believe the list was merely a crt.sh query of all unexpired certificates
> with a dNSName ending in "in-addr.arpa":
> https://crt.sh/?dNSName=%25.in-addr.arpa=expired
Any list for this general issue should also consider unexpired certificates
with a dNSName ending in "ip6.arpa" to cover
On Thu, Feb 28, 2019 at 6:21 AM Nick Lamb via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Thu, 28 Feb 2019 05:52:14 +
> Jeremy Rowley via dev-security-policy
> wrote:
>
> Hi Jeremy,
>
> > 4. The validation agent specified the approval scope as id-addr.arpa
>
> I
On Thu, 28 Feb 2019 05:52:14 +
Jeremy Rowley via dev-security-policy
wrote:
Hi Jeremy,
> 4. The validation agent specified the approval scope as id-addr.arpa
I assume this is a typo by you not the agent, for in-addr.arpa ?
Meanwhile, and without prejudice to the report itself once made:
olicy
Sent: Tuesday, February 26, 2019 4:17 PM
To: Matthew Hardeman
Cc: dev-security-policy@lists.mozilla.org; b...@benjojo.co.uk
Subject: Re: Possible DigiCert in-addr.arpa Mis-issuance
I am not so sure that is proper to have .arpa domains in the SANs.
But I think the larger issue I think is that
On Wed, Feb 27, 2019 at 9:04 AM Nick Lamb wrote:
>
> It does feel as though ARPA should consider adding a CAA record to
> in-addr.arpa and similar hierarchies that don't want certificates,
> denying all CAs, as a defence in depth measure.
>
Unless I significantly misunderstand CAA, this
-
From: dev-security-policy On
Behalf Of Cynthia Revström via dev-security-policy
Sent: Wednesday, February 27, 2019 8:45 AM
To: dev-security-policy@lists.mozilla.org
Subject: Re: Possible DigiCert in-addr.arpa Mis-issuance
Okay that seems like an issue as to me that says that this could have
:17 PM
To: Matthew Hardeman
Cc: dev-security-policy@lists.mozilla.org; b...@benjojo.co.uk
Subject: Re: Possible DigiCert in-addr.arpa Mis-issuance
I am not so sure that is proper to have .arpa domains in the SANs.
But I think the larger issue I think is that this might allow for non
in-addr.arpa
> On 27/02/2019 00:10, Matthew Hardeman wrote:
> > Is it even proper to have a SAN dnsName in in-addr.arpa ever?
> >
> > While in-addr.arpa IS a real DNS heirarchy under the .arpa TLD, it
> > rarely has anything other than PTR and NS records defined.
> >
>
> While there is no current use, and the
On Wed, Feb 27, 2019 at 8:04 PM Nick Lamb via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Tue, 26 Feb 2019 17:10:49 -0600
> Matthew Hardeman via dev-security-policy
> wrote:
>
> > Is it even proper to have a SAN dnsName in in-addr.arpa ever?
>
> It does feel as
On Tue, 26 Feb 2019 17:10:49 -0600
Matthew Hardeman via dev-security-policy
wrote:
> Is it even proper to have a SAN dnsName in in-addr.arpa ever?
It does feel as though ARPA should consider adding a CAA record to
in-addr.arpa and similar hierarchies that don't want certificates,
denying all
On 27/02/2019 00:10, Matthew Hardeman wrote:
Is it even proper to have a SAN dnsName in in-addr.arpa ever?
While in-addr.arpa IS a real DNS heirarchy under the .arpa TLD, it rarely
has anything other than PTR and NS records defined.
While there is no current use, and the test below was
age-
From: dev-security-policy On
Behalf Of Cynthia Revström via dev-security-policy
Sent: Tuesday, February 26, 2019 4:17 PM
To: Matthew Hardeman
Cc: dev-security-policy@lists.mozilla.org; b...@benjojo.co.uk
Subject: Re: Possible DigiCert in-addr.arpa Mis-issuance
I am not so sure that is pr
I am not so sure that is proper to have .arpa domains in the SANs.
But I think the larger issue I think is that this might allow for non
in-addr.arpa domains to be used as well.
It was just that I just tried to get a cert for my domain for a test to
see if that would be issued.
And upon
Is it even proper to have a SAN dnsName in in-addr.arpa ever?
While in-addr.arpa IS a real DNS heirarchy under the .arpa TLD, it rarely
has anything other than PTR and NS records defined.
Here this was clearly achieved by creating a CNAME record for
69.168.110.79.in-addr.arpa pointed to
Thanks Cynthia. We are investigating and will report back shortly.
From: dev-security-policy on
behalf of Cynthia Revström via dev-security-policy
Sent: Tuesday, February 26, 2019 12:02:20 PM
To: dev-security-policy@lists.mozilla.org
Cc: b...@benjojo.co.uk
25 matches
Mail list logo