On Mon, Mar 16, 2020 at 12:11:57PM -0700, Chris Kemmerer via
dev-security-policy wrote:
> On Wednesday, March 11, 2020 at 5:41:00 PM UTC-5, Matt Palmer wrote:
> > On Wed, Mar 11, 2020 at 10:46:05AM -0700, Chris Kemmerer via
> > dev-security-policy wrote:
> > > On Tuesday, March 10, 2020 at 8:44:4
On Monday, March 16, 2020 at 2:46:46 PM UTC-5, Ryan Sleevi wrote:
> On Mon, Mar 16, 2020 at 3:12 PM Chris Kemmerer via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > > It would appear that SSL.com is a member in good standing of the CA/B
> > Forum.
> > > Is there any i
On Mon, Mar 16, 2020 at 3:12 PM Chris Kemmerer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> > It would appear that SSL.com is a member in good standing of the CA/B
> Forum.
> > Is there any intention on the part of SSL.com to propose this change as a
> > ballot? While
On Wednesday, March 11, 2020 at 5:41:00 PM UTC-5, Matt Palmer wrote:
> On Wed, Mar 11, 2020 at 10:46:05AM -0700, Chris Kemmerer via
> dev-security-policy wrote:
> > On Tuesday, March 10, 2020 at 8:44:49 PM UTC-5, Matt Palmer wrote:
> > > On Tue, Mar 10, 2020 at 01:48:49PM -0700, Chris Kemmerer via
On Wed, Mar 11, 2020 at 10:46:05AM -0700, Chris Kemmerer via
dev-security-policy wrote:
> On Tuesday, March 10, 2020 at 8:44:49 PM UTC-5, Matt Palmer wrote:
> > On Tue, Mar 10, 2020 at 01:48:49PM -0700, Chris Kemmerer via
> > dev-security-policy wrote:
> > > For the purpose of identifying whether
We regret your impression that we take this issue with anything less than the
utmost seriousness.
We have opened a ticket and are actively working with our CA software vendor to
address the underlying issue.
Rather than stopping there, we have been working concurrently to put into place
the ne
On Wed, Mar 11, 2020 at 1:46 PM Chris Kemmerer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> You are correct, each compliance violation is considered an incident.
> However in our opinion we have not violated our CP/CPS or the current
> Baseline Requirements. Although
On Tuesday, March 10, 2020 at 8:44:49 PM UTC-5, Matt Palmer wrote:
> On Tue, Mar 10, 2020 at 01:48:49PM -0700, Chris Kemmerer via
> dev-security-policy wrote:
> > We have updated https://bugzilla.mozilla.org/show_bug.cgi?id=1620772 with
> > the findings of our current investigation.
>
> Thanks fo
On Tue, Mar 10, 2020 at 01:48:49PM -0700, Chris Kemmerer via
dev-security-policy wrote:
> We have updated https://bugzilla.mozilla.org/show_bug.cgi?id=1620772 with
> the findings of our current investigation.
Thanks for this update. I have... comments.
Before I get into the nitty-gritty, though
We have updated https://bugzilla.mozilla.org/show_bug.cgi?id=1620772 with the
findings of our current investigation.
We believe all issues raised in this thread are addressed in this update. Our
investigation is ongoing and we welcome any positive input by the community as
an opportunity to imp
On Sun, 8 Mar 2020 10:57:49 +1100
Matt Palmer via dev-security-policy
wrote:
> > The fingerpint of the claimed Debian weak key was not included in
> > our database.
>
> I think it's worth determining exactly where SSL.com obtained their
> fingerprint database of weak keys. The private key in
On 07/03/2020 23:57, Matt Palmer via dev-security-policy wrote:
As further independent confirmation, the crt.sh page for the certificate
shows that crt.sh *also* identifies the certificate as having a Debian weak
key. My understanding is that crt.sh uses a database of keys that was
independentl
On Sat, Mar 07, 2020 at 09:07:11AM -0500, Ryan Sleevi wrote:
> Thanks. I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1620772
I'll give points to SSL.com for a speedy initial response, but I'm a bit
disconcerted about this:
> The fingerpint of the claimed Debian weak key was not included i
Thanks. I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1620772
On Fri, Mar 6, 2020 at 9:48 PM Matt Palmer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> (Pre) Certificate https://crt.sh/?id=2531502044 has been issued with a
> known
> weak key, specifically Debian
(Pre) Certificate https://crt.sh/?id=2531502044 has been issued with a known
weak key, specifically Debian weak key 2048/i386/rnd/pid17691. I believe
this issuance to be in contravention of SSL.com's CPS, version 1.8, section
6.1.1.2, which states "SSL.com shall reject a certificate request if the
15 matches
Mail list logo