Re: Misissued certificates - pathLenConstraint with CA:FALSE

2017-08-17 Thread identrust--- via dev-security-policy
On Wednesday, August 9, 2017 at 9:53:14 PM UTC-4, Alex Gaynor wrote: > (Whoops, accidentally originally CC'd to m.d.s originally! Original mail > was to IdenTrust) > > Hi, > > The following certificates appear to be misissued: > > https://crt.sh/?id=77893170=cablint >

Re: Misissued certificates

2017-08-15 Thread Gervase Markham via dev-security-policy
On 10/08/17 19:35, Jeremy Rowley wrote: > This is interesting. We had one Sub CA who mis-issued some pre-certs but > then never issued an actual certificate tied to the pre-certificate. There > was a previous Mozilla discussion (link coming) where mis-issuance of a > pre-certificate was akin to

Re: Misissued certificates

2017-08-10 Thread Paul Kehrer via dev-security-policy
On August 10, 2017 at 9:44:01 PM, Jakob Bohm via dev-security-policy ( dev-security-policy@lists.mozilla.org) wrote: On 11/08/2017 00:29, Jonathan Rudenberg wrote: > >> On Aug 10, 2017, at 17:04, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: >> >> Can anyone

Re: Misissued certificates

2017-08-10 Thread Jakob Bohm via dev-security-policy
On 11/08/2017 00:29, Jonathan Rudenberg wrote: On Aug 10, 2017, at 17:04, Jakob Bohm via dev-security-policy wrote: Can anyone point out a real world X.509 framework that gets confused by a redundant pathlen:0 in a CA:FALSE certificate? (Merely to

Re: Misissued certificates

2017-08-10 Thread Jonathan Rudenberg via dev-security-policy
> On Aug 10, 2017, at 17:04, Jakob Bohm via dev-security-policy > wrote: > > Can anyone point out a real world X.509 framework that gets confused by > a redundant pathlen:0 in a CA:FALSE certificate? (Merely to assess the > seriousness of the issue,

Re: Misissued certificates

2017-08-10 Thread identrust--- via dev-security-policy
On Thursday, August 10, 2017 at 12:21:18 PM UTC-4, Ryan Sleevi wrote: > On Thu, Aug 10, 2017 at 11:55 AM, identrust--- via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > On Thursday, August 10, 2017 at 12:23:55 AM UTC-4, Lee wrote: > > > What's it going to take for

Re: Misissued certificates

2017-08-10 Thread Jakob Bohm via dev-security-policy
On 10/08/2017 20:14, Matthew Hardeman wrote: Similarly, the cert at https://crt.sh/?id=92235998 has SAN dnsName of ev-valid.identrustssl.com It has a normal 2 year validity period. Which again sounds like a certificate administratively created to serve as a test point certificate for the

RE: Misissued certificates

2017-08-10 Thread Jeremy Rowley via dev-security-policy
: Thursday, August 10, 2017 10:44 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Misissued certificates On Thursday, 10 August 2017 16:55:22 UTC+1, iden...@gmail.com wrote: > certificates contain the issue. Three (3) of these are real > certificates; however, one has expir

Re: Misissued certificates

2017-08-10 Thread Matthew Hardeman via dev-security-policy
Similarly, the cert at https://crt.sh/?id=92235998 has SAN dnsName of ev-valid.identrustssl.com It has a normal 2 year validity period. Which again sounds like a certificate administratively created to serve as a test point certificate for the root programs.

Re: Misissued certificates

2017-08-10 Thread Matthew Hardeman via dev-security-policy
I don't know whether it was noticed or if it matters to anyone, but I did note that for at least one of these certificates, particularly the one at https://crt.sh/?id=92235996 , that the sole SAN dnsName for the certificate is ev-expired.identrustssl.com. The cert also had a whopping 24 hours

Re: Misissued certificates

2017-08-10 Thread Nick Lamb via dev-security-policy
On Thursday, 10 August 2017 16:55:22 UTC+1, iden...@gmail.com wrote: > certificates contain the issue. Three (3) of these are real certificates; > however, one has expired. We have revoked the other two certificates. The > remaining two (2) are pre-certificates. To clear this up for anybody who

Re: Misissued certificates

2017-08-10 Thread Alex Gaynor via dev-security-policy
My apologies, it was pointed out to me off list that two of these are pre-certs for other certs in that batch. Alex On Thu, Aug 10, 2017 at 12:19 PM, Alex Gaynor wrote: > Hi IdenTrust, > > When you say that the remaining two are pre-certificates, are you > asserting that

Re: Misissued certificates

2017-08-10 Thread Ryan Sleevi via dev-security-policy
On Thu, Aug 10, 2017 at 11:55 AM, identrust--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thursday, August 10, 2017 at 12:23:55 AM UTC-4, Lee wrote: > > What's it going to take for mozilla to set up near real-time > > monitoring/auditing of certs showing up in ct

Re: Misissued certificates

2017-08-10 Thread Alex Gaynor via dev-security-policy
Hi IdenTrust, When you say that the remaining two are pre-certificates, are you asserting that no corresponding certificate was ever issued? Or merely that we can't prove one was based on what's in the existing CT logs? Alex On Thu, Aug 10, 2017 at 11:55 AM, identrust--- via dev-security-policy

Re: Misissued certificates

2017-08-10 Thread identrust--- via dev-security-policy
On Thursday, August 10, 2017 at 12:23:55 AM UTC-4, Lee wrote: > What's it going to take for mozilla to set up near real-time > monitoring/auditing of certs showing up in ct logs? > > Lee > > On 8/9/17, Alex Gaynor via dev-security-policy > wrote: > >

Re: Misissued certificates

2017-08-09 Thread J.C. Jones via dev-security-policy
Lee, Different parts of Mozilla does monitor CT, both for internal IT purposes, as well as research into the WebPKI. It seems like crt.sh does a great job already of handling cablint/x509lint of newly-observed certs. What are you looking for Mozilla to provide here that isn't already being

Re: Misissued certificates

2017-08-09 Thread Lee via dev-security-policy
What's it going to take for mozilla to set up near real-time monitoring/auditing of certs showing up in ct logs? Lee On 8/9/17, Alex Gaynor via dev-security-policy wrote: > (Whoops, accidentally originally CC'd to m.d.s originally! Original mail > was to