On Fri, 2 Mar 2018 16:10:52 +0900
Hector Martin 'marcan' via dev-security-policy
wrote:
> And what does Comodo think of all of this?
I'd like to second this.
When I wrote the original mail in this thread I considered adding
questions to Comodo, but I thought it's so obvious and Comodo people
wi
Not in my opinion. If my house is burning, I expect someone to call the fire
department even if I am not aware/convinced that the house is burning.
The fact that they disabled their website is evidence that the Twitter posts
were no fake.
Am Donnerstag, 1. März 2018 20:53:16 UTC+1 schrieb Tim Sh
> The code injection occurred on an interface they had to check the
> certificate of an arbitrary server. When 127.0.0.1 was used, the
> trustico.com certificate was returned. That means the local web server
> was handling TLS, not a remote load balancer solution (unless somehow
> 127.0.0.1 was for
Comodo CA has investigated the reports posted to this list relating to the
suspected compromise of the private key corresponding to
https://crt.sh/?id=206535041. Trustico have assured us that the private key
could not have been compromised. However, since it will be hard to convince
everyone that
Thanks everyone for your input on this topic. The consensus seems to be
that allowing WebExtensions to muck with certificate validation decisions
is a bad idea. The bug [1] has been updated with that sentiment and a link
to this discussion.
- Wayne
[1] https://bugzilla.mozilla.org/show_bug.cgi?id
We also asked Trustico to cease offering any tools to generate and/or
retain customer private keys. They have complied with this request and
have confirmed that they do not intend to offer any such tools again in
the future.
Trustico have also confirmed to us that they were not, and are not,
Update:
Mozilla is moving forward with our implementation of the consensus plan for
Symantec roots [1]. With the exception of whitelisted subordinate CAs using
the keys listed on the wiki [2], Symantec certificates are now blocked by
default on Nightly builds of Firefox. The preference
"security.p
https://crt.sh/?id=206535041 is now revoked.
Regards,
Rich Smith
smime.p7s
Description: S/MIME cryptographic signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Hi Wayne,
Is the Firefox 60 update in May the same as the combination of the April and
October Chrome updates, in that all Symantec certificates will be untrusted on
this date (5 months before Chrome)?
Doug
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
>
(re-sending to list)
> We also asked Trustico to cease offering any tools to generate and/or
retain customer private keys.
Does Comodo intend to standardize a policy against this? GoGetSSL has a
tool like this in their customer panel and I’m sure there are more.
On Fri, Mar 2, 2018 at 12:29 PM R
On Fri, Mar 2, 2018 at 11:58 AM, Doug Beattie
wrote:
> Hi Wayne,
>
> Is the Firefox 60 update in May the same as the combination of the April
> and October Chrome updates, in that all Symantec certificates will be
> untrusted on this date (5 months before Chrome)?
>
> Sorry for not making that cl
That's not what Trustico are saying in their fulfilment emails (received during
the purchase of a Trustico® certificate through Comodo CA this morning):
'If you chose to have us generate your CSR during the ordering process, you
will need to contact us for a copy of your corresponding Private Ke
> Trustico have assured us that the private key
> could not have been compromised.
Did they elaborate on how they came to that "could not have been" conclusion?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mo
This request is for inclusion of the Camerfirma CHAMBERS OF COMMERCE ROOT -
2016 (CCR2016) and GLOBAL CHAMBERSIGN ROOT - 2016 (GCSR2016) as documented
in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=986854
* BR Self Assessment is here:
https://bugzilla.mozilla.org/attachment.cgi
On 3/2/2018 2:05 PM, Wayne Thayer wrote [in part]:
[snipped]
NOTE: The fact that I have snipped some of the items under "==Bad=="
does not mean I consider them unimportant. However, the items on
which I comment I consider to be most important.
> ==Bad==
> * The inclusion request referenc
On Fri, Mar 2, 2018 at 3:47 PM, David E. Ross via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 3/2/2018 2:05 PM, Wayne Thayer wrote [in part]:
>
> [snipped]
>
> NOTE: The fact that I have snipped some of the items under "==Bad=="
> does not mean I consider them
16 matches
Mail list logo