The fact that this mis-issuance occurred does raise a question for the
community.
For quite some time, it has been repeatedly emphasized that maintaining a
non-trusted but otherwise identical staging environment and practicing all
permutations of tests and issuances -- especially involving new
> During final tests for the general availability of wildcard
certificate support, the Let's Encrypt operations team issued six test
wildcard certificates under our publicly trusted root:
>
> https://crt.sh/?id=353759994
> https://crt.sh/?id=353758875
> https://crt.sh/?id=353757861
>
On 12.03.2018 22:19, Kathleen Wilson via dev-security-policy wrote:
> Wayne and I have posted a Mozilla Security Blog regarding the current
> plan for distrusting the Symantec TLS certs.
>
> https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
Hello Kathleen and
On Tuesday, March 13, 2018 at 3:33:50 AM UTC-5, Tom wrote:
> > During final tests for the general availability of wildcard
> certificate support, the Let's Encrypt operations team issued six test
> wildcard certificates under our publicly trusted root:
> >
> > https://crt.sh/?id=353759994
> >
Same question. Does this mean the key used to sign the digicert roots is
subject to the distrust without exception?
> On Mar 13, 2018, at 1:36 PM, Kai Engert via dev-security-policy
> wrote:
>
>> On 12.03.2018 22:19, Kathleen Wilson via
On 12.03.2018 22:19, Kathleen Wilson via dev-security-policy wrote:
> Wayne and I have posted a Mozilla Security Blog regarding the current
> plan for distrusting the Symantec TLS certs.
>
> https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
Hello Kathleen and
On 13.03.2018 15:35, Ryan Sleevi via dev-security-policy wrote:
>
>> Are the DigiCert transition CAs, which are part of the exclusion list,
>> and which you say are used for "Managed Partner Infrastructure",
>> strictly limited to support the needs of the Apple and Google companies?
>
>
> No.
On Tue, Mar 13, 2018 at 7:19 AM, Kai Engert via dev-security-policy
wrote:
> On 13.03.2018 14:59, Ryan Sleevi wrote:
>> the blog post says, the subCAs controlled by Apple and Google are the
>> ONLY exceptions.
>>
>> However, the Mozilla Firefox
On Tue, Mar 13, 2018 at 7:55 AM, Kai Engert via dev-security-policy
wrote:
> On 13.03.2018 15:35, Ryan Sleevi via dev-security-policy wrote:
>>
>>> Are the DigiCert transition CAs, which are part of the exclusion list,
>>> and which you say are used for
On Tue, Mar 13, 2018 at 10:55 AM, Kai Engert wrote:
> On 13.03.2018 15:35, Ryan Sleevi via dev-security-policy wrote:
> >
> >> Are the DigiCert transition CAs, which are part of the exclusion list,
> >> and which you say are used for "Managed Partner Infrastructure",
> >> strictly
On Tue, Mar 13, 2018 at 10:19 AM, Kai Engert via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 13.03.2018 14:59, Ryan Sleevi wrote:
> > the blog post says, the subCAs controlled by Apple and Google are the
> > ONLY exceptions.
> >
> > However, the Mozilla
On Tue, Mar 13, 2018 at 10:52 AM, Peter Bowen wrote:
> On Tue, Mar 13, 2018 at 7:19 AM, Kai Engert via dev-security-policy
> wrote:
> > On 13.03.2018 14:59, Ryan Sleevi wrote:
> >> the blog post says, the subCAs controlled by Apple
On 13.03.2018 15:59, Peter Bowen wrote:
>>
>> Which companies, other than Apple and Google, benefit from DigiCert
>> running the Manager Partner Infrastructure and from DigiCert being part
>> of the exclusion list?
>
> An unlimited set. Any company who purchases a certificate from
> DigiCert
On Tue, Mar 13, 2018 at 11:50 AM, Ryan Sleevi wrote:
>
>
> On Tue, Mar 13, 2018 at 11:26 AM, Kai Engert wrote:
>
>> On 13.03.2018 15:59, Peter Bowen wrote:
>> >>
>> >> Which companies, other than Apple and Google, benefit from DigiCert
>> >> running the Manager
As I didn't write the blog post, I certainly can't speak to the
intent
The intent of the blog post was to let folks know about an error they
may encounter when Firefox 60 goes into Beta. And to have a place to
point folks to if they run into the error and ask about it.
It was *not* our
On Tuesday, March 13, 2018 at 2:02:45 PM UTC-7, Ryan Sleevi wrote:
> I'm hoping that LE can provide more details about the change management
> process and how, in light of this incident, it may change - both in terms
> of automated testing and in certificate policy review.
Forgot to reply to this
On Tue, Mar 13, 2018 at 4:13 PM, Matthew Hardeman via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> I am not at all suggesting consequences for Let's Encrypt, but rather
> raising a question as to whether that position on new inclusions / renewals
> is appropriate. If
On Tue, Mar 13, 2018 at 4:02 PM, Ryan Sleevi wrote:
>
>
> On Tue, Mar 13, 2018 at 4:13 PM, Matthew Hardeman via dev-security-policy
> wrote:
>
>> I am not at all suggesting consequences for Let's Encrypt, but rather
>> raising a question
On Tuesday, March 13, 2018 at 2:02:45 PM UTC-7, Ryan Sleevi wrote:
> availability of certificate linting tools - such as ZLint, x509Lint,
> (AWS's) certlint, and (GlobalSign's) certlint - there's no dearth of
> availability of open tools and checks. Given the industry push towards
> integration of
On Tue, Mar 13, 2018 at 11:26 AM, Kai Engert wrote:
> On 13.03.2018 15:59, Peter Bowen wrote:
> >>
> >> Which companies, other than Apple and Google, benefit from DigiCert
> >> running the Manager Partner Infrastructure and from DigiCert being part
> >> of the exclusion list?
> >
>
20 matches
Mail list logo