Re: Misissued/Suspicious Symantec Certificates

2017-02-28 Thread Ryan Sleevi via dev-security-policy
On Fri, Feb 24, 2017 at 4:51 PM, Ryan Sleevi wrote: > > > On Wed, Feb 22, 2017 at 8:32 PM, Ryan Sleevi wrote: > >> Hi Steve, >> >> Thanks for your continued attention to this matter. Your responses open >> many new and important questions and which give serious

Re: Suspicious test.com Cert Issued By GlobalSign

2017-02-28 Thread douglas.beattie--- via dev-security-policy
On Monday, February 27, 2017 at 11:04:53 AM UTC-5, Gervase Markham wrote: > Hi Doug, > > On 15/02/17 17:09, Gervase Markham wrote: > > But currently GlobalSign employees still are? > > > > If so, can you help us understand why that's necessary? Given that you > > control the domains used for

Re: Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)

2017-02-28 Thread Nick Lamb via dev-security-policy
On Tuesday, 28 February 2017 12:29:30 UTC, Itzhak Daniel wrote: > I also would like to have an official reply from GlobalSign saying that "on > the date they issue the certificate the domain exists". Doug/ GlobalSign has responded but I'll mention here that lists of recently abandoned domain

Re: Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)

2017-02-28 Thread Nick Lamb via dev-security-policy
On Tuesday, 28 February 2017 16:00:47 UTC, Nick Lamb wrote: > e.g. http://domaingraveyard.com/list/2016-05-10.txt Typical, I posted that and then I checked from another browser and it now gives an access error. Anyway, there are others of the same ilk out there, these names (at least some of

Re: (Possible) DigiCert EV Violation

2017-02-28 Thread Gervase Markham via dev-security-policy
On 27/02/17 21:41, Ryan Sleevi wrote: > During a past discussion of precertificates, at > https://groups.google.com/d/msg/mozilla.dev.security.policy/siHOXppxE9k/0PLPVcktBAAJ > , Mozilla did not discuss whether or not it considered > precertificates misissuance, although one module peer (hi! it's

Re: Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)

2017-02-28 Thread Itzhak Daniel via dev-security-policy
On Tuesday, February 28, 2017 at 1:38:25 PM UTC+2, Gervase Markham wrote: > I think that without more evidence we must assume that GlobalSign > validated this domain correctly at a time when it existed. There are many more test*.* domains, non of those (about 10) I checked exist. I will compose

Re: Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)

2017-02-28 Thread Gervase Markham via dev-security-policy
On 26/02/17 00:50, Itzhak Daniel wrote: > I talked with Ofer from Incapsula, he said the domain exist at some > point; Someone have access to domain tools or other tool to verify > this matter? Based on domaintools I can say the domain did exist but > I can't tell when it cease to exist. I think

Re: Google Trust Services roots

2017-02-28 Thread Gervase Markham via dev-security-policy
Ryan H, On 23/02/17 04:40, Peter Bowen wrote: > Both Gerv and I posted follow up questions almost two weeks ago. I > know you have been busy with CT days. When do you expect to have > answers available? Ping? :-) Gerv ___ dev-security-policy

Re: Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)

2017-02-28 Thread douglas.beattie--- via dev-security-policy
On Tuesday, February 28, 2017 at 7:29:30 AM UTC-5, Itzhak Daniel wrote: > On Tuesday, February 28, 2017 at 1:38:25 PM UTC+2, Gervase Markham wrote: > > I think that without more evidence we must assume that GlobalSign > > validated this domain correctly at a time when it existed. > > There are

Re: Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)

2017-02-28 Thread Itzhak Daniel via dev-security-policy
On Tuesday, February 28, 2017 at 6:00:47 PM UTC+2, Nick Lamb wrote: > This is useful independent evidence that (at least some of) the names did > exist at one time. The problem is that they're "re-keying" certificates for domains that are no longer in control of their subscribers (as Andrew

Re: Misissued/Suspicious Symantec Certificates

2017-02-28 Thread Santhan Raj via dev-security-policy
On Friday, February 24, 2017 at 5:12:43 PM UTC-8, Peter Bowen wrote: > "auditing standards that underlie the accepted audit schemes found in > Section 8.1" > > This is obviously a error in the BRs. That language is taken from > Section 8.1 and there is no list of schemes in 8.1. > > 8.4 does

Re: GlobalSign BR violation

2017-02-28 Thread Ryan Sleevi via dev-security-policy
On Tue, Feb 28, 2017 at 8:53 AM, douglas.beattie--- via dev-security-policy wrote: > > Yes, we're working to do just this now. While that's good and well, I do hope GlobalSign will produce an incident report regarding this matter, as to how the situation

Re: GlobalSign BR violation

2017-02-28 Thread Ryan Sleevi via dev-security-policy
On Tue, Feb 28, 2017 at 12:02 PM, douglas.beattie--- via dev-security-policy wrote: > Ryan, > > GlobalSign certificate issuance has been referenced in several different > threads recently and I think most of them are closed; however, if you feel >