Am 2013-12-11 23:59, schrieb Gervase Markham:
Look again. It seems that it now contains 1106 certificates (!), with
widely varying revocation dates.
Can't confirm that for any of the following CRL DPs:
http://www.icp.minefi.gouv.fr/igca.crl (1 entry)
http://www.icp.minefi.gouv.fr/ac-racine.crl
Le 11/12/13 01:08, Kathleen Wilson a écrit :
Based on the list that Rob provided, there may be other domains that we
might consider including.
For example:
*.ac-martinique.fr
*.ac-creteil.fr
*.ac-orleans-tours.fr
*.education.fr
*.ac-poitiers.fr
As this list includes domains from the ministry
On Wed, Dec 11, 2013 at 1:49 AM, Samuel L samuel.la...@sealweb.eu wrote:
Le 11/12/13 01:08, Kathleen Wilson a écrit :
Based on the list that Rob provided, there may be other domains that we
might consider including.
For example:
*.ac-martinique.fr
*.ac-creteil.fr
*.ac-orleans-tours.fr
On 10/12/13 06:20, Jan Schejbal wrote:
The third sub-ca cert (Subject AC DGTPE Signature Authentification)
includes a CRL DP for a CRL issued by sub-ca 2, validity 2011-09-09 to
2014-09-13. The CRL is empty.
Look again. It seems that it now contains 1106 certificates (!), with
widely varying
Am 2013-12-10 12:09, schrieb Jan Schejbal:
5. Appears unable to operate a CA properly as per Erwann's mail (e.g.
no valid CRLs).
I had a look at the CRLs of the certificates in the chain.
The first sub-ca cert in the chain (Subject MINEFI-AUTORITE DE
CERTIFICATION RACINE) includes a CRL DP
On 10/12/13 00:48, Erwann Abalea wrote:
Le lundi 9 décembre 2013 23:15:01 UTC+1, Brian Smith a écrit :
One thing that would really help would be an attempt to document which
publicly-accessible websites are using certificates that chain (only)
to the ANSSI root. I heard the claim that most
On Mon, Dec 9, 2013 at 2:17 PM, Jan Schejbal jan.schejbal_n...@gmx.dewrote:
I would really love to see the explanation how someone accidentally
issues and deploys a MitM Sub-CA...
I think it will turn out to be essentially the same reason that Microsoft
got burned with the Flame attack.
On Tue, Dec 10, 2013 at 4:08 PM, Kathleen Wilson kwil...@mozilla.com wrote:
Constrain the currently-included IGC/A root certificate to a certain set of
domains. I think the restriction needs to be along the lines of *.gouv.fr.
I think it might help to explain the rationale for the choice of
From the information we have to date, I think the CAs that try hard to run a
conformant operation can be justifiably upset that this behaviour is tolerated.
All the best. Tim.
On Dec 9, 2013, at 4:19 PM, Eddy Nigg eddy_n...@startcom.org wrote:
On 12/09/2013 11:12 PM, From Ryan Sleevi:
Let's start with the basics: what is the cert subject, serial number, date info? None of the four browser notices provided any of that. Surely there is no reason to keep it secret, is there?
Brian,I was thinking it would be beneficial if ANSSI would provide a host:port that would have the bad chain installed. This allows for anyone to check if their browser has been updated to un-trust the intermediate.I make this suggestion in addition to the points you raise below, and I think
11 matches
Mail list logo
