RE: StartCom issuing bogus certificates

2017-06-01 Thread Inigo Barreira via dev-security-policy
; Matthew Hardeman <mharde...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: StartCom issuing bogus certificates Hi Inigo, You mentioned there would be a report attached but I believe you forgot to send it? Can you upload the report and provide a URL?

Re: StartCom issuing bogus certificates

2017-06-01 Thread Vincent Lynch via dev-security-policy
dev-security-policy-bounces+inigo=startcomca@lists.mozilla.org > ] > On Behalf Of Gervase Markham via dev-security-policy > Sent: jueves, 1 de junio de 2017 10:27 > To: Yuhong Bao <yuhongbao_...@hotmail.com>; Eric Mill <e...@konklone.com>; > Jeremy Rowley <jeremy.

RE: StartCom issuing bogus certificates

2017-06-01 Thread Inigo Barreira via dev-security-policy
.@roeckx.be>; Matthew Hardeman <mharde...@gmail.com> Subject: Re: StartCom issuing bogus certificates On 01/06/17 01:48, Yuhong Bao wrote: > I don't think there is anything important on example.com though How would you like it if a CA decided there was nothing important on

Re: StartCom issuing bogus certificates

2017-06-01 Thread Gervase Markham via dev-security-policy
On 01/06/17 01:48, Yuhong Bao wrote: > I don't think there is anything important on example.com though How would you like it if a CA decided there was nothing important on your website and so decided it was OK to misissue certificates for it? This requirement is a positive requirement ("must

Re: StartCom issuing bogus certificates

2017-05-31 Thread Eric Mill via dev-security-policy
ll <e...@konklone.com> > Sent: Wednesday, May 31, 2017 4:34:20 PM > To: Jeremy Rowley > Cc: Kurt Roeckx; Yuhong Bao; mozilla-dev-security-pol...@lists.mozilla.org; > Matthew Hardeman > Subject: Re: StartCom issuing bogus certificates > > It's absolutely not harmless to us

Re: StartCom issuing bogus certificates

2017-05-31 Thread Yuhong Bao via dev-security-policy
rdeman Subject: Re: StartCom issuing bogus certificates It's absolutely not harmless to use example.com<http://example.com> to test certificate issuance. People visit example.com<http://example.com> all the time, given its role. An unauthorized certificate for example.com<http://e

Re: StartCom issuing bogus certificates

2017-05-31 Thread Eric Mill via dev-security-policy
ces+jeremy.rowley=digicert.c > om@lists.mozilla > .org] On Behalf Of Kurt Roeckx via dev-security-policy > Sent: Wednesday, May 31, 2017 11:55 AM > To: Yuhong Bao <yuhongbao_...@hotmail.com> > Cc: mozilla-dev-security-pol...@lists.mozilla.org; Matthew Hardeman > <mharde...@gmail.com>

RE: StartCom issuing bogus certificates

2017-05-31 Thread Jeremy Rowley via dev-security-policy
+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Kurt Roeckx via dev-security-policy Sent: Wednesday, May 31, 2017 11:55 AM To: Yuhong Bao <yuhongbao_...@hotmail.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org; Matthew Hardeman <mharde...@gmail.com> Subject: Re: Star

Re: StartCom issuing bogus certificates

2017-05-31 Thread Kurt Roeckx via dev-security-policy
On Wed, May 31, 2017 at 05:09:57PM +, Yuhong Bao via dev-security-policy wrote: > The point is that "misissuance" of example.com is harmless as they are > reserved by IANA. But example.com is a real domain that that even has an https website. The certificate is issued by digicert, and the

Re: StartCom issuing bogus certificates

2017-05-31 Thread Vincent Lynch via dev-security-policy
ew Hardeman via > dev-security-policy <dev-security-policy@lists.mozilla.org> > Sent: Wednesday, May 31, 2017 10:08:10 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: StartCom issuing bogus certificates > > On Wednesday, May 31, 2017 at 12:04:51 PM UTC-5

Re: StartCom issuing bogus certificates

2017-05-31 Thread Matthew Hardeman via dev-security-policy
On Wednesday, May 31, 2017 at 12:10:36 PM UTC-5, Yuhong Bao wrote: > The point is that "misissuance" of example.com is harmless as they are > reserved by IANA. Except that having a trusted root CA in the major root programs is a privileged club with a lot of non-obvious rules. One of those

Re: StartCom issuing bogus certificates

2017-05-31 Thread Yuhong Bao via dev-security-policy
ity-policy <dev-security-policy@lists.mozilla.org> Sent: Wednesday, May 31, 2017 10:08:10 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: StartCom issuing bogus certificates On Wednesday, May 31, 2017 at 12:04:51 PM UTC-5, Yuhong Bao wrote: > It would be better to use exa

Re: StartCom issuing bogus certificates

2017-05-31 Thread Yuhong Bao via dev-security-policy
rreira via dev-security-policy <dev-security-policy@lists.mozilla.org> Sent: Wednesday, May 31, 2017 9:21:00 AM To: patryk.szczyglow...@gmail.com; mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: StartCom issuing bogus certificates Hi all, There´s been a misunderstanding int

Re: StartCom issuing bogus certificates

2017-05-31 Thread Matthew Hardeman via dev-security-policy
Wow. That is disheartening. Those are issued from their newly cut intermediates issued descending from their G3 root, which I had assumed was the infrastructure that they intend to get audited for inclusion into the various root programs again. It would seem an issuance like that on that

RE: StartCom issuing bogus certificates

2017-05-31 Thread Inigo Barreira via dev-security-policy
Hi all, There´s been a misunderstanding internally when requested to create some "test" certificates as indicated in the Microsoft root program requirements as stated in 4b "Test URLs for each root, or a URL of a publicly accessible server that Microsoft can use to verify the certificates."