> > >
> > > > Those tests were done to check the CT behaviour, there was any
> > > > other
> > > testing of the new systems, just for the CT. Those certs were under
> > > control all the time and were lived for some minutes because were
> > > revoked inmediately after checking the certs were
>
> > Those tests were done to check the CT behaviour, there was any other
> testing of the new systems, just for the CT. Those certs were under control
> all
> the time and were lived for some minutes because were revoked inmediately
> after checking the certs were logged correctly in the CTs.
On Friday, September 15, 2017 at 12:30:00 PM UTC+1, James Burton wrote:
> On Friday, September 15, 2017 at 10:56:11 AM UTC+1, Inigo Barreira wrote:
> > >
> > > > Those tests were done to check the CT behaviour, there was any other
> > > testing of the new systems, just for the CT. Those certs
> Hi Inigo,
>
> To add from the last post.
>
> I know this is unwelcome news to you but I feel that with all these incidents
> happening right now with Symantec and the incidents before, we can't really
> take any more chances. Every incident is eroding trust in this system and if
> we
> want
Thank you very much Nick for this analysis and the time past on our request.
You will find below additional information. The publication of the updated CP /
CPS will be immediate, as soon as you confirm that the level of detail is
sufficient for you.
Thank you in advance for your help and
On Friday, September 15, 2017 at 10:56:11 AM UTC+1, Inigo Barreira wrote:
> >
> > > Those tests were done to check the CT behaviour, there was any other
> > testing of the new systems, just for the CT. Those certs were under control
> > all
> > the time and were lived for some minutes because
On 15/09/17 13:55, cornelia.enk...@gmail.com wrote:
> technically the CA now is disabled to sign certificates using SHA1
But presumably you thought that was true before this incident? (And if
not, why not?)
Gerv
___
dev-security-policy mailing list
> > Yes, you´re right, that was on the table and also suggested by
> > Mozilla, but the issue was that people from 360 are used to code in
> > PHP and the old one was in Java and some other for which they are not
> > so familiar and then was decided to re-write all the code in PHP
> > trying to
>
> Hi Inigo,
>
> On 14/09/17 16:05, Inigo Barreira wrote:
> > Those tests were done to check the CT behaviour, there was any other
> testing of the new systems, just for the CT.
>
> Is there any reason those tests could not have been done using a parallel
> testing hierarchy (other than the
Hi Inigo,
On 14/09/17 16:05, Inigo Barreira wrote:
> Those tests were done to check the CT behaviour, there was any other testing
> of the new systems, just for the CT.
Is there any reason those tests could not have been done using a
parallel testing hierarchy (other than the fact that you
On 15/09/17 09:24, Inigo Barreira wrote:
> AFAIK, Certinomis only disclosed in the CCADB
That means it's published and available. As noted in my other reply,
information as to exactly what this cross-sign enables trust for would
be most helpful, as I may have misunderstood previous statements on
I'm fairly confused by your answers, if the only thing you tested in
production was CT, why was the system issuing non-compliant certs? Why did
production CT testing come before having established, tested, and verified
a compliant certificate profile?
Alex
On Fri, Sep 15, 2017 at 10:35 AM, Inigo
We applaud the recent addition of CAA checking requirements to the Baseline
Requirements. However, there are known problems with the CAA checking algorithm
specified in RFC 6844, and those problems are leading to many reports from our
subscribers. The issues are described here:
Hey Ryan – Thanks a ton for this post. I’m working on a reply and should have
something next week, but I wanted to acknowledge that we saw the post and are
working on providing the information requested.
Jeremy
From: Ryan Sleevi [mailto:r...@sleevi.com]
Sent: Thursday, September 14,
Am Mittwoch, 6. September 2017 21:47:54 UTC+2 schrieb Rob Stradling:
> Hi Conny. Are you able to post those 2 certificates to some CT logs and
> provide crt.sh links?
>
> You've said that both certs have the same SHA-1 Fingerprint. Are you
> sure about that?
>
> On 06/09/17 20:38,
Am Mittwoch, 6. September 2017 22:38:35 UTC+2 schrieb Nick Lamb:
> Thanks for writing this incident report.
>
> The latter of the two certificates was issued after popular web browsers had
> ceased accepting SHA-1 as far as I understand it. As a result it seems likely
> that it would not have
> On 14/09/2017 17:05, Inigo Barreira wrote:
> > All,
> >
> > ...
> >>
> >> We should add the existing Certnomis cross-signs to OneCRL to revoke
> >> all the existing certificates. As of 10th August (now a month ago)
> >> StartCom said they have 5 outstanding SSL certs which are valid
> >> due
> Those tests were done to check the CT behaviour, there was any other testing
> of the new systems, just for the CT. Those certs were under control all the
> time and were lived for some minutes because were revoked inmediately after
> checking the certs were logged correctly in the CTs. It´s
On Friday, September 8, 2017 at 3:25:20 PM UTC-4, Andrew Ayer wrote:
> The BRs state:
>
> "Effective as of 8 September 2017, section 4.2 of a CA's Certificate
> Policy and/or Certification Practice Statement (section 4.1 for CAs
> still conforming to RFC 2527) SHALL state the CA's policy or
Hi Percy,
Yes, you´re right, that was on the table and also suggested by Mozilla, but
the issue was that people from 360 are used to code in PHP and the old one
was in Java and some other for which they are not so familiar and then was
decided to re-write all the code in PHP trying to keep the
Yes, there are similar ones everywhere, so I´m familiar with it :-)
And you´re right, I also make contributions in many other places, ETSI, ENISA,
CABF (used to), ... and not get paid for that, but it´s also true that the way
the distrust happened didn´t give us time or much time to act
Am Montag, 11. September 2017 12:38:38 UTC+2 schrieb Gervase Markham:
> Hi Connie,
>
> On 06/09/17 20:38, cornelia.enk...@gmail.com wrote:
> > SwissSign has identified the following incident:
> > two Certificate signed with SHA1: Violation BR 7.3.1
>
> Thank you for this report. There have been
I suspect many smaller CAs are non-compliant too, for example gandi's CPS
hasn't changed since 2009 according to its changelog.
https://www.gandi.net/static/docs/en/gandi-certification-practice-statement.pdf
Cheers
Rich.
___
dev-security-policy
On Fri, Sep 15, 2017 at 12:30 PM, Inigo Barreira via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> >
> > Hi Inigo,
> >
> > On 14/09/17 16:05, Inigo Barreira wrote:
> > > Those tests were done to check the CT behaviour, there was any other
> > testing of the new systems,
24 matches
Mail list logo
