>
> I believe the list was merely a crt.sh query of all unexpired certificates
> with a dNSName ending in "in-addr.arpa":
> https://crt.sh/?dNSName=%25.in-addr.arpa=expired
Any list for this general issue should also consider unexpired certificates
with a dNSName ending in "ip6.arpa" to cover
On Thu, Feb 28, 2019 at 6:21 AM Nick Lamb via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Thu, 28 Feb 2019 05:52:14 +
> Jeremy Rowley via dev-security-policy
> wrote:
>
> Hi Jeremy,
>
> > 4. The validation agent specified the approval scope as id-addr.arpa
>
> I
I just sent them a certificate problem report.
With best regards,
Rufus Buschart
Siemens AG
Information Technology
Human Resources
PKI / Trustcenter
GS IT HR 7 4
Hugo-Junkers-Str. 9
90411 Nuernberg, Germany
Tel.: +49 1522 2894134
mailto:rufus.busch...@siemens.com
www.twitter.com/siemens
On Thu, 28 Feb 2019 05:52:14 +
Jeremy Rowley via dev-security-policy
wrote:
Hi Jeremy,
> 4. The validation agent specified the approval scope as id-addr.arpa
I assume this is a typo by you not the agent, for in-addr.arpa ?
Meanwhile, and without prejudice to the report itself once made:
(Writing in a personal capacity)
I want to preemptively apologize for the length of this message. Despite
multiple rounds of editing, there's still much to be said, and I'd prefer
to say it in public, in the spirit of those past discussions, so that they
can be both referred to and (hopefully)
1. How your CA first became aware of the problem (e.g. via a problem report
submitted to your Problem Reporting Mechanism, a discussion in
mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the
time and date.
Ans:
One of our staffs in PKI group was taking samples of
This incident report relates to the 64-bit serial numbers in all certificates
that DarkMatter CAs have issued since their inception. The dialog surrounding
CABF Ballot 164 “Certificate Serial Number Entropy” was unknown to DarkMatter
until shared with us recently by Ryan Sleevi of Google, and
In addition to the GDPR concerns over WHOIS and RDAP data, reliance upon
these data sources has a crucial differentiation from other domain
validation methods.
Specifically, the WHOIS/RDAP data sources are entirely "off-path" with
respect to how a browser will locate and access a given site. To
I wanted to take a few moments to say that I believe that Ryan Sleevi's
extensive write-up is one of the most meticulously supported and researched
documents that I've seen discuss this particular aspect of trust delegation
decisions as pertains to the various root programs. It is an incredible
On Wednesday, February 27, 2019 at 8:54:35 AM UTC-6, Jakob Bohm wrote:
> One hypothetical use would be to secure BGP traffic, as certificates
> with IpAddress SANs are less commonly supported.
The networking / interconnection world has already worked out the trust
hierarchy for the RPKI scheme.
Hi Jonathan,
When something like this occurs the Mozilla community asks for an incident
report explaining how the incident occurred, what was done to remediate it,
and what procedures and technical controls have been put in place to
prevent a future recurrence of the problem. You can see
11 matches
Mail list logo
