Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

I think page 8 of their manual at least partially explains how and what "QuickInvite" is. The whole document is rather interesting... https://www.geotrust.com/geocenter/resources/partnercenter-user-guide.pdf On Saturday, April 1, 2017 at 6:01:23 AM UTC-4, Nick Lamb wrote: > On Friday, 31 March

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

On Friday, 31 March 2017 17:27:34 UTC+1, tarah.s...@gmail.com wrote: > I'm Tarah. I am the Principal Security Advocate and Senior Director of > Engineering at Symantec Website Security (the certificate authority. Hello Tarah, Regular readers of m.d.s.policy will not be surprised that the news

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

Hi Daniel, We appreciate your additional input into determining the exact scope of this problem. On 31/03/17 19:37, Daniel Baxter (Aractus) wrote: > With all due respect this reply is the most ridiculous load of > nonsense I've ever read. However, please keep the tone civil. If it's nonsense,

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

> On Mar 31, 2017, at 6:01 PM, Daniel Baxter via dev-security-policy > wrote: > > On Saturday, April 1, 2017 at 6:27:27 AM UTC+11, Jakob Bohm wrote: >> Oh, come on, if that's her job title, that's her job title, and at any >> CA, that is actually an

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

On Saturday, April 1, 2017 at 6:51:30 AM UTC+11, Vincent Lynch wrote: > > It is simply a bug, related to an OID included in the certificate. This has > been documented by Chrome > . OK, I'll update that, thanks.

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

On Saturday, April 1, 2017 at 6:27:27 AM UTC+11, Jakob Bohm wrote: > Oh, come on, if that's her job title, that's her job title, and at any > CA, that is actually an important job that /someone/ should have. I meant the content of her reply, not her job title. > Unfortunately, when initially

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

Maybe I'm alone in this but, while entertaining, I'm taken aback a bit if this is official Symantec communication in a forum like m.d.s.p. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

> > Yeah OK, I got a few things wrong on my blog post, I can fix that shortly. > It's no big deal. At least I'm informing people about security - claiming > that we're just "looking for hits" is ridiculous. Most people pay no > attention to security, I can't speak for others but I'm trying to

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

> > Finally, what have you actually done to address EV revocation? You clearly > didn't bother to tell Commonwealth Bank: > > https://www.commbank.com.au/ > > One of the largest banks in Australia that their EV status would evaporate > in Chrome. So what did you do to inform your customers about

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

> Yep, but there must have been an API (at some level) for generating or > processing the QuickInvite URL. That was what I was suggesting might > have been the issue. So, it's hard for me to answer this question because I didn't see any POC, but 1) it's not physically possible for private keys

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

On 31/03/2017 19:31, tarah.syman...@gmail.com wrote: On Friday, March 31, 2017 at 9:51:03 AM UTC-7, Jakob Bohm wrote: Dear Tarah, Below some friendly speculation as to what the parts that some bloggers claimed was included (if those claims were somehow true) might have been (i.e. where *you*

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

On Friday, March 31, 2017 at 9:51:03 AM UTC-7, Jakob Bohm wrote: > Dear Tarah, > > Below some friendly speculation as to what the parts that some bloggers > claimed was included (if those claims were somehow true) might have > been (i.e. where *you* might look for it in internal Symantec >

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

Right. It is then. It says private keys can only be stored with permission of the subscriber and encryption must always be used to transfer them. And of course the certificate must be revoked if/when it becomes known that a private key has gotten to the wrong person. Well... NOT my private

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.2.pdf Section 6.1.2 On Wed, Mar 29, 2017 at 3:22 AM, okaphone.elektronika--- via dev-security-policy wrote: > Weird. > > I expect there are no requirements for a CA to keep other people's

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

* Nick Lamb via dev-security-policy: > In order for Symantec to reveal anybody's private keys they'd first > need to have those keys, which is already, IIRC forbidden in the > BRs. I think this requirement was dropped because it makes it unnecessarily difficult to report key compromises. There

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

Weird. I expect there are no requirements for a CA to keep other people's private keys safe. After all handling those is definitely not part of being a CA. ;-) CU Hans ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

Nick Lamb via dev-security-policy writes: >In order for Symantec to reveal anybody's private keys they'd first need to >have those keys That's standard practice for many CAs, they generate the key and certificate for you and email it to you as a PKCS #12.

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

On Tuesday, March 28, 2017 at 3:46:05 PM UTC-4, Nick Lamb wrote: > In order for Symantec to reveal anybody's private keys they'd first need to > have those keys, which is already, IIRC forbidden in the BRs. So even proof > that Symantec routinely had these keys is a big deal. >From what I can

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

On Tuesday, March 28, 2017 at 11:08:08 PM UTC-4, uri...@gmail.com wrote: > For what it's worth, this is the latest post on facebook from the researcher. > https://www.facebook.com/cbyrneiv/posts/10155129935452436 > > The private key storage issue sounds like a reseller tool, like >

Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

For what it's worth, this is the latest post on facebook from the researcher. https://www.facebook.com/cbyrneiv/posts/10155129935452436 The private key storage issue sounds like a reseller tool, like https://www.thesslstore.com/ssltools/csr-generator.php and he found the private key was stored

Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

In order for Symantec to reveal anybody's private keys they'd first need to have those keys, which is already, IIRC forbidden in the BRs. So even proof that Symantec routinely had these keys is a big deal. The whole reason things like CSR signing exist is that public CAs have no reason to know

Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

https://www.bleepingcomputer.com/news/security/researcher-says-api-flaw-exposed-symantec-certificates-including-private-keys/ Does anyone have further information about this? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org