Am Mittwoch, 19. Juli 2017 00:26:16 UTC+2 schrieb Charles Reiss:
> https://crt.sh/?id=174827359 is a certificate issued by D-TRUST SSL
> Class 3 CA 1 2009 containing the DNS SAN
> 'www.lbv-gis.brandenburg.de/lbvagszit' (containing a '/') with a
> notBefore in April 2017.
>
Regarding this
On 11/08/2017 15:39, Policy Authority PKIoverheid wrote:
2. Why did DDY not implement the serial number entropy as required by the
Baseline Requirements?
3. Was this detected by the auditor? If not, why not?
ANSWER ON QUESTION 2:
DDY concluded wrongly that ballot 164 was not applicable for
On top of what Ryan has written, I want to specifically praise the approach of
actually checking a sample of certificates as PKIoverheid describes.
I think done well this can be a very affordable yet timely and effective way to
detect problems in a particular issuance pipeline or with a
Mark,
Thanks for providing a detailed report about this, including the steps
being taken to prevent future events like this. Your proposed remediation
plans sound like excellent steps to ensure future conformance, and
demonstrate an understanding as to the root causes and how to prevent them
in
Dear Mozilla Security Policy Community,
My apologies for the delayed follow up response.
As stated in my email from 07/25/2017, Digidentity (DDY), one of our TSP’s,
issued 777 certificates from September 30th 2016 which were not compliant with
BR ballot 164.
DDY has fixed the problem with the
Dear Mozilla Security Policy Community,
Thanks for the advice about the short serial numbers and apologies for the
delayed response.
Since 2016, all D-TRUST TLS certificates based on electronic Certificate
Requests have a certificate serial number which includes 64 bits of entropy.
Between
Hi Mark,
Are you saying you do intend to revoke all of these certificates in the
next 24 hours?
While subscribers are allowed to continue using bad certificates as long as
they desire, the BRs require CAs to revoke non-compliant certificates
within 24 hours of becoming aware of them.
Alex
On
Op woensdag 19 juli 2017 00:26:16 UTC+2 schreef Charles Reiss:
> - Digidentity Services CA - G2 (https://crt.sh/?caid=868 ; chains to
> Staat der Nederlanden Root CA - G2) has issued certificates which serial
> numbers that appear to be of the form 0x1000 + sequential counter
> with
Hello:
Siemens Issuing CA Internet Server 2016 was taken offline upon this report
while Siemens and QuoVadis investigate. It will not issue certificates
until the problem is resolved.
Kind regards, Stephen Davidson
QuoVadis
-Original Message-
From: dev-security-policy
On 18/07/17 23:25, Charles Reiss wrote:
> https://crt.sh/?id=174827359 is a certificate issued by D-TRUST SSL
I'm supposed to be on holiday :-), but I have emailed the 3 CAs
concerned drawing these issues to their attention, and asking them to
comment here when they have discovered the cause.
10 matches
Mail list logo
