Re: Cerificate Concern about Cloudflare's DNS

2016-11-03 Thread gerhard . tinned
On Wednesday, November 2, 2016 at 11:42:00 PM UTC+1, Kristian Fiskerstrand wrote: > On 11/02/2016 11:38 PM, Peter Kurrasch wrote: > > This raises an interesting point and I'd be interested in any comments > > ‎that Comodo or other CA's might have. > > > > It really seems like a matter of

Re: Cerificate Concern about Cloudflare's DNS

2016-11-03 Thread gerhard . tinned
On Wednesday, November 2, 2016 at 11:39:09 PM UTC+1, Peter Kurrasch wrote: > This raises an interesting point and I'd be interested in any comments ‎that > Comodo or other CA's might have. > > > It appears we have a situation where a cert is being issued to what is > presumably an authorized

Re: [FORGED] Re: Cerificate Concern about Cloudflare's DNS

2016-11-03 Thread gerhard . tinned
On Wednesday, November 2, 2016 at 11:34:44 PM UTC+1, Peter Gutmann wrote: > Tom Ritter writes: > > >There's been (some) mention that even if a user moves off Cloudflare, the CA > >is not obligated to revoke. > > Would it matter? I guess it depends on circumstances (whether you control the >

Re: New SHA-1 certificates issued in 2016

2016-11-03 Thread c
On Saturday, October 29, 2016 at 12:02:54 PM UTC-5, Gervase Markham wrote: > The scope of the BRs is debateable. These certs are clearly in scope for > Mozilla policy, as they chain up to trusted roots; however Mozilla > policy does not (yet) ban SHA-1 issuance other than via the BRs. This > may

Re: Cerificate Concern about Cloudflare's DNS

2016-11-03 Thread Gervase Markham
On 02/11/16 23:26, gerhard.tin...@gmail.com wrote: > Befor I contacted this group, I contacted Cloudflare and asked them > to stop creating certificates with my domain. The answer in short > was, ... they cannot change it and as long as I am using there > service, they will continue. How would

Re: Incident Report - certificate with 'sb' as a SAN:dnsName

2016-11-03 Thread Gervase Markham
On 18/10/16 19:15, Rob Stradling wrote: > Hi Hanno. The questions that you and others have posted are entirely > reasonable. Sorry for the delay. Robin intends to post a reply this week. It seems like this reply has not yet appeared? I would like to make sure my initial question about "Where

Re: Cerificate Concern about Cloudflare's DNS

2016-11-03 Thread Han Yuwei
在 2016年11月3日星期四 UTC+8下午5:59:53,Gervase Markham写道: > On 02/11/16 23:26, gerhard.tin...@gmail.com wrote: > > Befor I contacted this group, I contacted Cloudflare and asked them > > to stop creating certificates with my domain. The answer in short > > was, ... they cannot change it and as long as I

References to key generation guideline across Mozilla

2016-11-03 Thread Tim Guan-tin Chien
Hi there, I've already regarding the document here [1] as the updated document to "how to generate a SSH key", however as my new hires points out there are other documents out there [2] [3]. Should we be updating [2] [3] and ask everyone to look at [1] instead? [1]

Re: Cerificate Concern about Cloudflare's DNS

2016-11-03 Thread Patrick Figel
On 03/11/16 10:59, Gervase Markham wrote: > However, I still don't get why you want to use Cloudflare's SSL > termination services but are unwilling to allow them to get a > certificate for your domain name. > > AIUI their free tier uses certs they obtain, but if you pay, you can > provide your

Re: Cerificate Concern about Cloudflare's DNS

2016-11-03 Thread Rob Stradling
On 03/11/16 09:59, Gervase Markham wrote: > On 02/11/16 23:26, gerhard.tin...@gmail.com wrote: >> Befor I contacted this group, I contacted Cloudflare and asked them >> to stop creating certificates with my domain. The answer in short >> was, ... they cannot change it and as long as I am using

Re: Cerificate Concern about Cloudflare's DNS

2016-11-03 Thread Rob Stradling
On 03/11/16 12:13, Han Yuwei wrote: > 在 2016年11月3日星期四 UTC+8下午7:09:48,Rob Stradling写道: >> On 03/11/16 09:59, Gervase Markham wrote: >>> On 02/11/16 23:26, gerhard.tin...@gmail.com wrote: Befor I contacted this group, I contacted Cloudflare and asked them to stop creating certificates with

Re: Cerificate Concern about Cloudflare's DNS

2016-11-03 Thread Jakob Bohm
On 03/11/2016 12:09, Rob Stradling wrote: In my experience, joining Cloudflare's paying tier doesn't guarantee that Cloudflare won't also obtain a free cert. A few weeks ago we moved crt.sh onto Cloudflare. It was in the paying tier from the start, and we uploaded an EV cert straight away. I

Re: Cerificate Concern about Cloudflare's DNS

2016-11-03 Thread Rob Stradling
On 03/11/16 14:18, Jakob Bohm wrote: > On 03/11/2016 12:09, Rob Stradling wrote: > >> In my experience, joining Cloudflare's paying tier doesn't guarantee >> that Cloudflare won't also obtain a free cert. >> >> A few weeks ago we moved crt.sh onto Cloudflare. It was in the paying >> tier from

Re: New SHA-1 certificates issued in 2016

2016-11-03 Thread Gervase Markham
On 28/10/16 16:11, Patrick Figel wrote: > I found a number of SHA-1 certificates chaining up to CAs trusted by > Mozilla that have not been brought up on this list or on Bugzilla yet. Using the handy crt.sh link posted by Rob, I have gone through the 2016 SHA-1 issuances known to crt.sh to filter

Re: References to key generation guideline across Mozilla

2016-11-03 Thread Gervase Markham
On 03/11/16 10:30, Tim Guan-tin Chien wrote: > PS Apologies if this is not in-scope for dev-security-policy. I think you might be better off asking Mozilla IT :-) Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: New SHA-1 certificates issued in 2016

2016-11-03 Thread Andrew Ayer
On Thu, 3 Nov 2016 17:53:01 + Gervase Markham wrote: > On 28/10/16 16:11, Patrick Figel wrote: > > I found a number of SHA-1 certificates chaining up to CAs trusted by > > Mozilla that have not been brought up on this list or on Bugzilla > > yet. > > Using the handy crt.sh

Update on transition of the Verizon roots and issuance of SHA1 certificates

2016-11-03 Thread Jeremy Rowley
Resent without a signature Hi everyone, This email is intended to gather public and browser feedback on how we are handling the transitioning Verizon's customers to DigiCert and share with everyone the plan for when all non-DigiCert hosted sub CAs will be fully compliant with the BRs

Re: Cerificate Concern about Cloudflare's DNS

2016-11-03 Thread gerhard . tinned
On Thursday, November 3, 2016 at 10:59:53 AM UTC+1, Gervase Markham wrote: > On 02/11/16 23:26, wrote: > > Befor I contacted this group, I contacted Cloudflare and asked them > > to stop creating certificates with my domain. The answer in short > > was, ... they cannot change it and as long as I

Re: Cerificate Concern about Cloudflare's DNS

2016-11-03 Thread gerhard . tinned
On Thursday, November 3, 2016 at 1:23:48 PM UTC+1, Rob Stradling wrote: > On 03/11/16 12:13, Han Yuwei wrote: > > 在 2016年11月3日星期四 UTC+8下午7:09:48,Rob Stradling写道: > >> On 03/11/16 09:59, Gervase Markham wrote: > >>> On 02/11/16 23:26, gerhard.tin...@gmail.com wrote: > Befor I contacted this

Re: Cerificate Concern about Cloudflare's DNS

2016-11-03 Thread gerhard . tinned
On Thursday, November 3, 2016 at 11:23:18 PM UTC+1, Matt Palmer wrote: > On Thu, Nov 03, 2016 at 02:08:04PM -0700, gerhard.tin...@gmail.com wrote: > > Sadly, the shady behaviour is not with Comodo but with Cloudflare. As > > cloudflare does not state anywhere that they issue certificates when SSL

Re: Cerificate Concern about Cloudflare's DNS

2016-11-03 Thread Matt Palmer
On Thu, Nov 03, 2016 at 03:39:11PM -0700, gerhard.tin...@gmail.com wrote: > On Thursday, November 3, 2016 at 11:23:18 PM UTC+1, Matt Palmer wrote: > > On Thu, Nov 03, 2016 at 02:08:04PM -0700, gerhard.tin...@gmail.com wrote: > > > Sadly, the shady behaviour is not with Comodo but with Cloudflare.

Re: Update on transition of the Verizon roots and issuance of SHA1 certificates

2016-11-03 Thread Han Yuwei
在 2016年11月4日星期五 UTC+8上午3:52:23,Jeremy Rowley写道: > Resent without a signature > > > > Hi everyone, > > > > This email is intended to gather public and browser feedback on how we are > handling the transitioning Verizon's customers to DigiCert and share with > everyone the plan for when

RE: Update on transition of the Verizon roots and issuance of SHA1 certificates

2016-11-03 Thread Jeremy Rowley
I'm not sure exactly what you are asking. These sub CAs are cross-signs with other entities. DigiCert controls the root, but not the issuing CAs. Except for the ones I listed, they are all WebTrust or ETSI audited so we trust them. They are primarily government, large corporations, and other

Re: Update on transition of the Verizon roots and issuance of SHA1 certificates

2016-11-03 Thread Peter Bowen
On Thu, Nov 3, 2016 at 11:28 AM, Jeremy Rowley wrote: > This email is intended to gather public and browser feedback on how we are > handling the transitioning Verizon's customers to DigiCert and share with > everyone the plan for when all non-DigiCert hosted sub CAs