Hello-
Regarding:
> - https://crt.sh/?id=12501254&opt=cablint -- RSA Security 2048 V3 via
> RSA Corporate CA v2 via RSA Corporate Server CA v2
All certificates issued with SHA-1 post 1 January 2016 have been revoked and
replaced with SHA-2 compliant Certificates as of 4 Feb 2016.
The configu
On 01/19/16 01:49, Charles Reiss wrote:
> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this
> year
> which chain to root CAs in Mozilla's program:
[snip]
and even more, from different subCAs than have come up yet:
- https://crt.sh/?id=12501241&opt=cablint -- Baltimore Cy
we communicate that we have revoked the certificate referred to
> https://crt.sh/?id=
>
> -Original Message-
> From: Ben Wilson
> Sent: Monday, January 25, 2016 10:08 AM
> To: 'Charles Reiss' ;
> mozilla-dev-security-pol...@lists.mozilla.org
> Subject:
On Fri, Jan 29, 2016 at 4:43 PM, Kathleen Wilson
wrote:
> On 1/25/16 12:22 AM, Charles Reiss wrote:
>
>> On 01/19/16 01:49, Charles Reiss wrote:
>>
>>> Via censys.io, I found a couple SHA-1 certs with notBefore dates from
>>> this year
>>> which chain to root CAs in Mozilla's program:
>>>
>> [sni
On 1/25/16 12:22 AM, Charles Reiss wrote:
On 01/19/16 01:49, Charles Reiss wrote:
Via censys.io, I found a couple SHA-1 certs with notBefore dates from this year
which chain to root CAs in Mozilla's program:
[snip]
And here are a couple more, from different subCAs:
- https://crt.sh/?id=121318
ozilla.org
Subject: RE: SHA1 certs issued this year chaining to included roots
Thanks for spotting this Charles. We've reached out to Postecom.it for an
explanation and with a request that they revoke the certificate immediately and
reissue it with the proper contents.
Ben Wilson
DigiCert V
On Mon, 25 Jan 2016 08:22:57 +
Charles Reiss wrote:
> - https://crt.sh/?id=12203339 -- chaining to Baltimore CyberTrust Root
> (again) this time via (presumably external) subCA "Postecom CS3"
This certificate also contains two SANs for internal names:
DNS:vm-exfe01.postecom.local
o:dev-security-policy-bounces+ben=digicert@lists.mozilla.org] On
Behalf Of Charles Reiss
Sent: Monday, January 25, 2016 1:23 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: SHA1 certs issued this year chaining to included roots
On 01/19/16 01:49, Charles Reiss wrote:
On 01/19/16 01:49, Charles Reiss wrote:
> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this
> year
> which chain to root CAs in Mozilla's program:
[snip]
And here are a couple more, from different subCAs:
- https://crt.sh/?id=12131821 -- chaining to Deutsche Telekom Root
On 01/19/16 01:49, Charles Reiss wrote:
> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this
> year
> which chain to root CAs in Mozilla's program:
>
> - https://crt.sh/?id=12089828 -- chains to Baltimore CyberTrust Root
> [DigiCert]
> via subCA "Eurida Primary CA" via su
On 20/01/2016 15:43, Rob Stradling wrote:
On 20/01/16 14:35, Richard Barnes wrote:
Changing the subject line as this is branching a bit...
IIRC, the original motivation for this text was to make it possible to
suppress OCSP requests directly from TLS clients (that don't support
OCSP
Stapling)
On 20/01/16 14:35, Richard Barnes wrote:
Changing the subject line as this is branching a bit...
IIRC, the original motivation for this text was to make it possible to
suppress OCSP requests directly from TLS clients (that don't support OCSP
Stapling). In particular, there was a concern that
Changing the subject line as this is branching a bit...
On Wed, Jan 20, 2016 at 8:24 AM, Rob Stradling
wrote:
> On 19/01/16 21:13, Charles Reiss wrote:
>
>> On 01/19/16 11:49, Jakob Bohm wrote:
>>
>
>
>> If there is no OCSP, it obviously cannot be stapled.
>>>
>>
>> The CA/Browser forum BRs con
On 19/01/16 21:13, Charles Reiss wrote:
On 01/19/16 11:49, Jakob Bohm wrote:
If there is no OCSP, it obviously cannot be stapled.
The CA/Browser forum BRs contemplate OCSP stapling without an OCSP responder
being listed in the certificate in section 7.1.2.2.c ("The HTTPURL of the
Issuin
On 01/19/16 11:49, Jakob Bohm wrote:
> On 19/01/2016 02:49, Charles Reiss wrote:
>> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this
>> year
>> which chain to root CAs in Mozilla's program:
>>
>> - https://crt.sh/?id=12089828 -- chains to Baltimore CyberTrust Root
>> [Di
=digicert@lists.mozilla.org]
On Behalf Of Jakob Bohm
Sent: Tuesday, January 19, 2016 4:49 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: SHA1 certs issued this year chaining to included roots
On 19/01/2016 02:49, Charles Reiss wrote:
> Via censys.io, I found a couple SHA-1 ce
On 19/01/2016 02:49, Charles Reiss wrote:
Via censys.io, I found a couple SHA-1 certs with notBefore dates from this year
which chain to root CAs in Mozilla's program:
- https://crt.sh/?id=12089828 -- chains to Baltimore CyberTrust Root [DigiCert]
via subCA "Eurida Primary CA" via subCA "DnB NOR
On Mon, Jan 18, 2016 at 10:45:17PM -0500, Reed Loden wrote:
> https://cabforum.org/pipermail/public/2016-January/006519.html has
> more information on these certs.
Thanks, that seems to list the same 5 I already had.
I'm currently also seeing:
https://crt.sh/?id=12090324
Kurt
_
Correct. Sorry, I meant to say "on the Symantec-issued certs".
~reed
On Mon, Jan 18, 2016 at 10:55 PM, Eric Mill wrote:
> On Mon, Jan 18, 2016 at 10:45 PM, Reed Loden wrote:
>>
>> https://cabforum.org/pipermail/public/2016-January/006519.html has
>> more information on these certs.
>
>
> I don'
On Mon, Jan 18, 2016 at 10:45 PM, Reed Loden wrote:
> https://cabforum.org/pipermail/public/2016-January/006519.html has
> more information on these certs.
>
I don't think that includes the Digicert one, though?
>
> ~reed
>
> On Mon, Jan 18, 2016 at 10:23 PM, Kurt Roeckx wrote:
> > On Tue, Ja
https://cabforum.org/pipermail/public/2016-January/006519.html has
more information on these certs.
~reed
On Mon, Jan 18, 2016 at 10:23 PM, Kurt Roeckx wrote:
> On Tue, Jan 19, 2016 at 01:49:21AM +, Charles Reiss wrote:
>> Via censys.io, I found a couple SHA-1 certs with notBefore dates from
On 01/19/16 03:37, Charles Reiss wrote:
> On 01/19/16 03:23, Kurt Roeckx wrote:
>> On Tue, Jan 19, 2016 at 01:49:21AM +, Charles Reiss wrote:
>>> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this
>>> year
>>> which chain to root CAs in Mozilla's program:
>>
>> I also h
On 01/19/16 03:23, Kurt Roeckx wrote:
> On Tue, Jan 19, 2016 at 01:49:21AM +, Charles Reiss wrote:
>> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this
>> year
>> which chain to root CAs in Mozilla's program:
>
> I also have some from C=US,O=VeriSign\, Inc.,OU=VeriSig
On Tue, Jan 19, 2016 at 01:49:21AM +, Charles Reiss wrote:
> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this
> year
> which chain to root CAs in Mozilla's program:
I also have some from C=US,O=VeriSign\, Inc.,OU=VeriSign Trust
Network,OU=Terms of use at https://www.
24 matches
Mail list logo