Re: Misissued/Suspicious Symantec Certificates

2017-02-17 Thread urijah--- via dev-security-policy
On Friday, February 17, 2017 at 7:50:31 PM UTC-5, uri...@gmail.com wrote: > On Friday, February 17, 2017 at 7:23:54 PM UTC-5, Ryan Sleevi wrote: > > I have confirmed with CPA > > Canada that at during the 2016 and 2017 periods, EY Brazil was not a > > licensed WebTrust practitioner, as indicated

Re: Misissued/Suspicious Symantec Certificates

2017-02-17 Thread urijah--- via dev-security-policy
On Friday, February 17, 2017 at 7:23:54 PM UTC-5, Ryan Sleevi wrote: > I have confirmed with CPA > Canada that at during the 2016 and 2017 periods, EY Brazil was not a > licensed WebTrust practitioner, as indicated at [4]. > > [4] >

Re: Misissued/Suspicious Symantec Certificates

2017-02-17 Thread urijah--- via dev-security-policy
On Friday, February 17, 2017 at 10:19:06 PM UTC-5, Ryan Sleevi wrote: > On Fri, Feb 17, 2017 at 5:17 PM, urijah--- via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > On Friday, February 17, 2017 at 7:50:31 PM UTC-5, uri...@gmail.com wrote: > &g

Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

2017-03-28 Thread urijah--- via dev-security-policy
https://www.bleepingcomputer.com/news/security/researcher-says-api-flaw-exposed-symantec-certificates-including-private-keys/ Does anyone have further information about this? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

2017-03-28 Thread urijah--- via dev-security-policy
For what it's worth, this is the latest post on facebook from the researcher. https://www.facebook.com/cbyrneiv/posts/10155129935452436 The private key storage issue sounds like a reseller tool, like https://www.thesslstore.com/ssltools/csr-generator.php and he found the private key was stored

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

2017-04-01 Thread urijah--- via dev-security-policy
I think page 8 of their manual at least partially explains how and what "QuickInvite" is. The whole document is rather interesting... https://www.geotrust.com/geocenter/resources/partnercenter-user-guide.pdf On Saturday, April 1, 2017 at 6:01:23 AM UTC-4, Nick Lamb wrote: > On Friday, 31 March

Re: Symantec Issues doc updated

2017-04-11 Thread urijah--- via dev-security-policy
>Within a few days of discovering these issues they shut down their >entire RA program. That seems pretty swift and comprehensive to me. The >fact that they didn't discover these issues for years is clearly a >problem, but it's not the same problem. I don't believe that's a fair

Re: SHA-1 serverAuth cert issued by Trustis in November 2016

2017-04-12 Thread urijah--- via dev-security-policy
Is there an expectation of a resolution of some sort to this matter? Also, their most recent audit is apparently overdue (perhaps related to the SHA-1 mis-issuance?) https://groups.google.com/d/msg/mozilla.dev.security.policy/IjgFwzGI_H0/-689uFoXBwAJ On Thursday, March 16, 2017 at 7:00:51 AM

Re: Symantec Conclusions and Next Steps

2017-04-28 Thread urijah--- via dev-security-policy
Richard, Did you communicate to your customers over the last 6 months that their existing certificates may become distrusted? Or did they find out when their sites stopped working in Chrome? On Friday, April 28, 2017 at 4:19:01 AM UTC-4, Richard Wang wrote: > Hi Ryan, > > > > For your

Re: StartCom cross-signs disclosed by Certinomis

2017-08-08 Thread urijah--- via dev-security-policy
Can this be responded to more directly and comprehensively please? Are there any staff or personnel being shared between WoSign and Startcom? This includes any staff from (or paid by) Qihoo 360 its subsidiaries, contractors, or affiliates--does anyone do any work (paid or unpaid) for both

Re: April CA Communication: Results

2017-05-15 Thread urijah--- via dev-security-policy
It's useful to note that Outlook 2007 leaves extended support on October 10. (That deadline has been extended a few times, I believe, but this should be the final date.) https://support.microsoft.com/en-us/help/3198497/office-2007-approaching-end-of-extended-support On Monday, May 15, 2017 at

Re: Symantec: Update

2017-05-11 Thread urijah--- via dev-security-policy
Possibly this is irrelevant, but I have some concerns on how Symantec, it seems to me, is willfully mischaracterizing their certificate compliance issues in their prepared remarks to their investors yesterday.[1] It makes it sound as if there are some generic certificate industry changes that

Re: [EXT] Re: Draft further questions for Symantec

2017-05-15 Thread urijah--- via dev-security-policy
The link in footnote [1] https://www.idmanagement.gov/IDM/servlet/fileField?entityId=ka0t000Gmi3AAC=File__Body__s gives me a 404 error. On Monday, May 15, 2017 at 11:09:41 AM UTC-4, Steve Medin wrote: > Gerv, > > Our response to the recent questions is posted at: >

Re: Symantec: Draft Proposal

2017-05-08 Thread urijah--- via dev-security-policy
On Monday, May 8, 2017 at 7:21:46 AM UTC-4, okaphone.e...@gmail.com wrote: > Hi Rick, > > I don't see a "May 4th post". Where was it posted? Not here it seems. It's above--it links to https://www.symantec.com/connect/blogs/symantec-ca-continues-public-dialogue > > Also it's reasonable that

Re: Draft further questions for Symantec

2017-05-08 Thread urijah--- via dev-security-policy
It may be necessary to expand that definition to intermediates that were capable of issuing certificates within the past year (or longer). On Monday, May 8, 2017 at 9:31:21 AM UTC-4, Alex Gaynor wrote: > I'm not the best way to phrase this, so please forgive the bluntness, but I > think it'd be

Re: PROCERT issues

2017-09-26 Thread urijah--- via dev-security-policy
Why does the document say "Date: 11/07/17" on every page, and the signed pdf metadata say 2017-09-25T17:14:35-04:00 2017-09-25T17:18:07-04:00 2017-09-25T17:18:07-04:00 On Tuesday, September 26, 2017 at 4:56:36 PM UTC-4, alejand...@gmail.com wrote: > In the following link you can find the CPS in

Re: How do you handle mass revocation requests?

2018-02-28 Thread urijah--- via dev-security-policy
Is Trustico's storage of private keys related to this security report from a few months back (which did not appear to ever have been fully investigated...)? https://groups.google.com/d/msg/mozilla.dev.security.policy/CEww8w9q2zE/F_bzX1guCQAJ Does Digicert have (or will it have) some sort of