On 2017-08-30 08:46, Adriano Santoni wrote:
>> - 2 are technically constrained sub-CAs (
https://crt.sh/?id=147626411 / https://crt.sh/?id=47081615 )
Those two are actually the same certificate; it's not clear to me why
they appear twice on crt.sh
I didn't look if all the name constrains
>> - 2 are technically constrained sub-CAs (
https://crt.sh/?id=147626411 / https://crt.sh/?id=47081615 )
Those two are actually the same certificate; it's not clear to me why
they appear twice on crt.sh
Il 29/08/2017 18:50, Ryan Sleevi via dev-security-policy ha scritto:
On Tue, Aug 29,
Posted:
https://blog.mozilla.org/security/2017/08/30/removing-disabled-wosign-startcom-certificates-firefox-58/
I will look into getting this translated and published in China.
Thanks,
Kathleen
___
dev-security-policy mailing list
links to all of WoSign's announcement in case anyone want to verify.
https://www.wosign.com/news/index.htm year 2017
https://www.wosign.com/news/index2016.htm year 2016
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
In fact, can you tell us, when was the first time WoSign started to notify
users about replacing certs?
I've dig through all of WoSign's announcement and the first and in fact the
ONLY announcement regarding replacing certs is dated July 10th, 2017 , titled
Announcement regarding Google's
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Hi Paul,
Thank you for feedback. We acknowledge the reported issues.
Regarding the OCSP for certSIGN Enterprise CA Class 3 G2 subCA, the problem
was due to a misconfiguration and has been fixed today.
Regarding the OCSP for certSIGN ROOT CA the problem is due to a software
limitation and
Hi Ben,
I'm not sure it should matter that a CA _does_ only issue client certs --
in the DigiNotar-style situation for which this rule was envisioned, the
relevant thing is whether the cert is _capable_ of issuing server certs.
Alex
On Tue, Aug 29, 2017 at 12:43 PM, Ben Wilson via
Hi Paul,
can you provide what you posted, for example attaching the ocsp response. I
mean if I query for a non-existant certificate, I get the following answer:
openssl ocsp -no_cert_verify -no_signature_verify -issuer SSLEV_IZENPE.cer
-serial 0x295990755083049101712519384020072382191 -url
Hi David,
If you use the cert at https://crt.sh/?id=1616324 as issuer (the root
itself) and run this command:
openssl ocsp -issuer 1616324.crt -serial 10101010101010111101001101
-url http://ocsp.izenpe.com -noverify
You will get back
This Update: Jun 22 11:06:43 2017 GMT
Next Update: Jun
Hi Paul,
thank you for the information. We had yesterday a holiday here in Slovakia. We
are starting the investigation of this problem now.
Regards.
Peter Miskovic
From: Paul Kehrer [mailto:paul.l.keh...@gmail.com]
Sent: Tuesday, August 29, 2017 2:48 PM
To:
Hi Paul,
thank you for the clarification, I thought you were talking about subordinates.
Regards,
El miércoles, 30 de agosto de 2017, 10:58:34 (UTC+2), Paul Kehrer escribió:
> Hi David,
>
> If you use the cert at https://crt.sh/?id=1616324 as issuer (the root
> itself) and run this command:
>
On August 30, 2017 at 4:53:54 AM, Ben Wilson via dev-security-policy (
dev-security-policy@lists.mozilla.org) wrote:
This CA is technically constrained:
DN: C=CH, L=Zurich, O=ABB, CN=ABB Issuing CA 6
Hi Ben,
ABB Intermediate CA 3 (https://crt.sh/?id=7739892), which issued ABB
Issuing CA
On Tuesday, August 29, 2017 at 9:41:07 AM UTC-4, Paul Kehrer wrote:
> I've recently completed a scan of OCSP responders with a focus on checking
> whether they are compliant with BR section 4.9.10's requirement: "Effective
> 1 August 2013, OCSP responders for CAs which are not Technically
>
It's true that the first post has a link to that second post. However, the
related sentence is
To learn more, please visit "Announcement regarding Google's decision on July
7th", with a hyperlink to the second post.
And only the second post mentions anything about replacing certs. I hardly
On Wednesday, August 30, 2017 at 11:15:04 AM UTC-7, Kathleen Wilson wrote:
> Posted:
>
> https://blog.mozilla.org/security/2017/08/30/removing-disabled-wosign-startcom-certificates-firefox-58/
>
> I will look into getting this translated and published in China.
>
> Thanks,
> Kathleen
Thank you
Hi Paul,
we found the problem with OCSP response for SubCA R1I1 and SubCA R2I2 and fixed
it yesterday afternoon.
Problem with OCSP response for RootCA will be fixed to the end of next week.
They are offline and there is no real possibility to issue a SSL certificate
directly by them even if
17 matches
Mail list logo
