Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-26 Thread Adam Caudill via dev-security-policy
Much has been written about this issue of late; most of the focus has been on Let's Encrypt, but they are not the only CA issuing certificates to phishing sites, though because of the scale Let's Encrypt operates at, they issue the most, and thus take most of the heat. One of the better articles

Re: On the value of EV

2017-12-11 Thread Adam Caudill via dev-security-policy
> However, I don't believe "technically correct, but intentionally misleading" information should be included in certificates. The question is how best to accomplish that. How would you determine what's misleading, and what isn't? As mentioned, the Stripe, Inc of Kentucky could present an image

Re: On the value of EV

2017-12-11 Thread Adam Caudill via dev-security-policy
> > > Even if it is, someone filed the paperwork. Court houses have clerks, > > > guards, video cameras, etc... It still may present a real physical point > > > from which to bootstrap an investigation. > > > > Court houses also have online systems. I think if you read both Ian and James' work,

Re: Pre-Incident Report - GoDaddy Serial Number Entropy

2019-03-12 Thread Adam Caudill via dev-security-policy
Daymion, You linked to a thread in m.d.s.p and cited it as confirming a specific interpretation of 7.1 - as that's a long thread (with some possible questionable information), could you possibly share what criteria you used to determine what certificates were impacted by this issue and which

Re: Pre-Incident Report - GoDaddy Serial Number Entropy

2019-03-15 Thread Adam Caudill via dev-security-policy
Daymion, (Apologies in advance if I've missed something that led to these results. These results rely on the crt.sh database, which I will admit to being less familiar with than I would like.) While recently looking at some randomly selected recent certificates from this CA:

Re: Pre-Incident Report - GoDaddy Serial Number Entropy

2019-03-15 Thread Adam Caudill via dev-security-policy
> Lastly, it was identified\discussed since we were STARTING with 64bits it was > acceptable. Therefore, GoDaddy was in compliance prior to 3/7. After this > discussion we changed back to the pre 3/7 configuration on 3/13. Thanks for the additional explanation, greatly appreciated. >From