Hi all,
A glitch in our validation system has today caused a certificate to be
issued to a person who successfully abused our system.
We have now strengthened our domain validation system so that such
abuse cannot happen again. Comodo has handled this issue in a
professional way by invoking the
Hi Patricia,
patri...@certstar.com schrieb:
We have now strengthened our domain validation system so that such
abuse cannot happen again.
just curious: How do you normally validate domain ownership?
TIA,
Thorsten
___
dev-tech-crypto mailing list
On 12/23/2008 10:48 AM, patri...@certstar.com:
Hi all,
A glitch in our validation system has today caused a certificate to be
issued to a person who successfully abused our system.
It's not me who abused your system, it's your company which sent out
illegal, misleading emails to our
For those interested, Frank opened a bug to investigate this incident:
https://bugzilla.mozilla.org/show_bug.cgi?id=470897
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
___
dev-tech-crypto
On 12/23/2008 07:09 AM, Frank Hecker:
There are two general reasons for pulling a root, to address a clear and
present danger to Mozilla users, and to punish a CA and deter others. My
concern right now is with the former. I see at least three issues in
relation to that:
1. Issuance of further
When I try to unwrap AES key via JSS API, I get the following
exception:
cipher = Cipher.getInstance(RSA, jssProvider);
cipher.init(Cipher.UNWRAP_MODE, wrapKeyPair.getPrivate());
Key unwrappedKey = cipher.unwrap(wrappedData, AES,
Cipher.SECRET_KEY);
org.mozilla.jss.util.AssertionException:
On 12/23/2008 09:09 AM, Kyle Hamilton:
(I word it like that because in order for an attacker to succeed he
would need to also hijack DNS, or place a entry in the user's hosts
file.)
Or be a WiFi operator. This was the attack vector of
https://bugzilla.mozilla.org/show_bug.cgi?id=460374
Of
Patricia, I believe it's important to realize a couple of things:
1) An unsolicited commercial email (UCE) message was sent from your
company to the party in question suggesting that there already existed
a relationship between your company and the party in question. This
is obvious from the
Eddy Nigg wrote:
For those interested, Frank opened a bug to investigate this incident:
https://bugzilla.mozilla.org/show_bug.cgi?id=470897
Actually Nelson opened this bug.
Frank
--
Frank Hecker
hec...@mozillafoundation.org
___
dev-tech-crypto
On 12/23/2008 03:05 PM, Frank Hecker:
Eddy Nigg wrote:
For those interested, Frank opened a bug to investigate this incident:
https://bugzilla.mozilla.org/show_bug.cgi?id=470897
Actually Nelson opened this bug.
Thanks for that. More into this story...
...all our employees coming the our
In the past, lots of good stuff has been done that handles the ascension
to the root list of Mozilla. c.f. the policy. But not so much is
written about *what happens afterwards*. This recent thread has been
such a case, and has afforded an opportunity to make some notes on what
might be
Frank Hecker wrote:
Do you mean the UTN-UserFirst-Hardware root? According to the screenshot
on your blog post, that's the root the bogus cert chains up to. Also, if
we were to take action of this general sort (as a hypothetical), what
about adding the PositiveSSL CA cert to NSS with the SSL
On 18/12/08 18:25, Anders Rundgren wrote:
CA liability has been focused on the RP since it an RP that trusts a CA
and its certificates, right?
Um!
If one takes a PKI view, then there exist 3 main parties: CA, RP,
Subscriber. However other views exist. Liabiliy is an issue at law (in
Are we going to receive information from Comodo regarding how many
other Comodo resellers may be in a similar position to Certstar?
Are we going to receive information from Certstar as to how many other
certs may have been issued in error?
How do we verify the claims from Comodo or
I'd rather deal with disruption caused thereby (and, yes, the user
complaints generated thereby -- at least then the end-user would KNOW
that there's a problem that's being dealt with rather than having a
FALSE SENSE OF SECURITY) than let those potential security breaches
continue to wreak their
On 12/23/2008 09:15 PM, Hendrik Weimer:
Frank Heckerhec...@mozillafoundation.org writes:
My intent is to balance the disruption that would be caused by pulling
a root vs. the actual security threat to users. Right now we have no
real idea as to the extent of the problem (e.g., how many certs
alex.agra...@gmail.com wrote, On 2008-12-23 02:59:
When I try to unwrap AES key via JSS API, I get the following
exception:
cipher = Cipher.getInstance(RSA, jssProvider);
cipher.init(Cipher.UNWRAP_MODE, wrapKeyPair.getPrivate());
Key unwrappedKey = cipher.unwrap(wrappedData, AES,
On 12/23/08 11:27 AM, Kyle Hamilton wrote:
I'd rather deal with disruption caused thereby (and, yes, the user
complaints generated thereby -- at least then the end-user would KNOW
that there's a problem that's being dealt with rather than having a
FALSE SENSE OF SECURITY)
Hmm, would they?
On 12/23/08 12:12 PM, Justin Dolske wrote:
On 12/23/08 11:27 AM, Kyle Hamilton wrote:
I'd rather deal with disruption caused thereby (and, yes, the user
complaints generated thereby -- at least then the end-user would KNOW
that there's a problem that's being dealt with rather than having a
Frank Hecker wrote:
Eddy Nigg wrote:
Disabling the trust bits of AddTrust External CA Root could be a
temporary measure to prevent damage to relying parties
Also note that any suspension of a root would last at last 1-3 months,
since that the typical interval between security updates for
On 12/23/2008 10:23 PM, Daniel Veditz:
Maybe we need to build in something like a CRL that pings back to
Mozilla that would let us revoke roots without having to ship a client
update.
Of course we (@ mozilla) also take our lessons from this event, I'm
sure. Indeed it was previously suggested
On Dec 23, 9:44 pm, doug...@theros.info wrote:
On 23 dez, 18:23, Daniel Veditz dved...@mozilla.com wrote:
Frank Hecker wrote:
Eddy Nigg wrote:
Disabling the trust bits of AddTrust External CA Root could be a
temporary measure to prevent damage to relying parties
Also note that
On 23/12/08 20:23, Kyle Hamilton wrote:
On Tue, Dec 23, 2008 at 10:43 AM, Frank Hecker
hec...@mozillafoundation.org wrote:
I've asked Robin Alden of Comodo to make an accounting regarding these two
issues. I don't expect to see that immediately (i.e., in the next day or
two), though I also
On 12/23/08 12:20 PM, Justin Dolske wrote:
That said, the Comodo/Certstar is hugely sucky and I would hope there's
something we can do about it that helps users.
I am just full of fail today: ... the Comodo/Comstar *incident* is
hugely sucky ...
Justin
On 12/23/2008 11:12 PM, Ian G:
Earlier, Frank used the language of clear and present danger.
* clear: we can measure the costs of it, and cost of defences.
* present: it is happening today, provably.
* danger: it can be shown capable of doing damage, at least in theory
Only the last one is
At 11:27 AM -0800 12/23/08, Kyle Hamilton wrote:
I'd rather deal with disruption caused thereby (and, yes, the user
complaints generated thereby -- at least then the end-user would KNOW
that there's a problem that's being dealt with rather than having a
FALSE SENSE OF SECURITY) than let those
Just because a few people loudly proclaim their preferences on either side,
it does not mean that their preferences should be acted on in a way that
affects millions of Firefox users.
It was Comodo that affected millions of Firefox users; it's up to
Mozilla to protect those users by failing
(sorry, meant to post this in the thead -- posting there -- disregard
this thread)
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Presumably it was Comodo that underwent an audit to be added to
Mozilla's roots, and Comodo should not be allowed to delegate trust to
their resellers for domain validation. If, today, trust is delegated
to their resellers, then we can't trust Comodo, period.
Although disruptive, their trust bits
The only effective and appropriate response to a root that does not
have sufficient internal controls to maintain its own security is to
remove the trust in it. If you've purchased a certificate from them
because it's trusted, and then they lose that trust, I would think
that you should be
Eddy Nigg wrote:
Concerning the disruption, Comodo has many roots and the resetting of
this specific root would affect low-assurance sites as far as I know.
I don't think that's necessarily true. I don't think it would affect EV
sites (because of the way validation for those sites is
On 12/24/2008 12:20 AM, Frank Hecker:
Eddy Nigg wrote:
Concerning the disruption, Comodo has many roots and the resetting of
this specific root would affect low-assurance sites as far as I know.
I don't think that's necessarily true. I don't think it would affect EV
sites (because of the way
On 12/24/2008 12:05 AM, Paul C. Bryan:
Presumably it was Comodo that underwent an audit to be added to
Mozilla's roots, and Comodo should not be allowed to delegate trust to
their resellers for domain validation. If, today, trust is delegated
to their resellers, then we can't trust Comodo,
I believe that Startcom (and other certification authorites in
Mozilla's root program) would likely have cause to bring an action for
the tort of negligence against Mozilla. I feel that this is something
that Mozilla should likely ask its general counsel very quickly.
0) Comodo is plainly found
On Dec 23, 5:51 pm, Kyle Hamilton aerow...@gmail.com wrote:
I believe that Startcom (and other certification authorites in
Mozilla's root program) would likely have cause to bring an action for
the tort of negligence against Mozilla. I feel that this is something
that Mozilla should likely
At 3:15 PM +0200 12/23/08, Eddy Nigg wrote:
If they don't shut that site, we can perhaps just publish the private key for
the mozilla.com certificate as well so everybody can enjoy it.
It is indeed unbelievable to hear the COO of a CA company making threats like
this. I'm sure that making such
At 2:51 PM -0800 12/23/08, Kyle Hamilton wrote:
I believe that Startcom (and other certification authorites in
Mozilla's root program) would likely have cause to bring an action for
the tort of negligence against Mozilla. I feel that this is something
that Mozilla should likely ask its general
Select Preferences - Advanced - View Certificates - Authorities.
Search for AddTrust AB - AddTrust External CA Root and click Edit.
Remove all Flags.
This would remove the trust from the potentially affected sites and
their certificates. Comodo has many more roots if you are interested,
Dear all,
I just wanted to give you all an update from Certstar. As you all know
we failed to validate a certificate due to a flaw in our system which
is clearly unacceptable.
Having worked intensively with this case I can truly say that Comodo
is indeed taking their responsibility extremely
On Dec 23, 3:58 pm, patri...@certstar.com wrote:
The technical verification procedure has been improved and is now on a
very high security level. Comodo will also review our implementation
to ensure that it comply with all standards and cannot be abused.
As far as I know, you're not the party
On Dec 24, 12:58 am, patri...@certstar.com wrote:
I just wanted to give you all an update from Certstar. As you all know
we failed to validate a certificate due to a flaw in our system which
is clearly unacceptable.
IIIRC you failed to validate at least two certificates, coincidentally
the
On 12/24/2008 02:40 AM, Ian G:
You don't count, or more precisely, the money you spent getting the cert
doesn't count; sorry about that :)
At least I got it refunded ;-)
Well, concerns on the concept of resellers have been raised before. This
becomes a case in point, which should perhaps
On 12/23/2008 2:05 PM, Paul C. Bryan wrote:
Presumably it was Comodo that underwent an audit to be added to
Mozilla's roots, and Comodo should not be allowed to delegate trust to
their resellers for domain validation. If, today, trust is delegated
to their resellers, then we can't trust
I wrote, On 2008-12-23 11:53:
Please file a bug in bugzilla.mozilla.org, product JSS, and put all
the above information into that bug.
Glen filed a bug based on this report. (Thanks, Glen)
See https://bugzilla.mozilla.org/show_bug.cgi?id=470982
___
On Dec 23, 8:56 pm, ro...@comodo.com wrote:
Comodo has been able to verify that 73 of the 111 orders processed by
Certstar were processed pursuant to the requirements of our CPS and
our webhost RA terms and conditions.
[snip]
In the past we
have *discovered* only a few isolated incidents
On Dec 23, 5:56 pm, ro...@comodo.com wrote:
Comodo takes it responsibility to supervise RAs very seriously and we
actively audit their performance. While it is not practical to audit
100% of their work, we audit a representative sample.
By delegating RA functions (including domain
Ian G wrote, On 2008-12-23 05:58:
3. How to resolve a dispute. This is a Mozilla action
responsibility. Reverse-engineering and referring, I would suggest this
as a teaser:
a. The CA certificate module owner at Mozilla foundation is
responsible. Ref, the policy, pt 15.
b.
On 12/24/2008 04:16 AM, Nelson B Bolyard:
Ian G wrote, On 2008-12-23 05:58:
3. How to resolve a dispute. This is a Mozilla action
responsibility. Reverse-engineering and referring, I would suggest this
as a teaser:
a. The CA certificate module owner at Mozilla foundation is
My blog article and exposure has provoked somebody to come forward with
additional evidences concerning the reseller activities of Comodo. In
order to protect the innocent I decided to provide this information
confidentially to Frank Hecker for now. Stay tuned.
--
Regards
Signer: Eddy Nigg,
On 12/23/2008 3:16 PM, Eddy Nigg wrote:
On 12/24/2008 01:10 AM, Where Wolf:
On Dec 23, 5:51 pm, Kyle Hamiltonaerow...@gmail.com wrote:
I believe that Startcom (and other certification authorites in
Mozilla's root program) would likely have cause to bring an action for
the tort of negligence
At 1:16 AM +0200 12/24/08, Eddy Nigg wrote:
Select Preferences - Advanced - View Certificates - Authorities. Search for
AddTrust AB - AddTrust External CA Root and click Edit. Remove all Flags.
This would remove the trust from the potentially affected sites and their
certificates. Comodo has
At 1:45 AM +0200 12/24/08, Eddy Nigg wrote:
Paul, you are disappointing me! I have not heard one critical word from you
about this incident,
What would be added by me joining the choir? Clearly, Comodo made a mistake in
trusting (at least) one of its resellers. The mistake was laid bare, and
On 12/24/2008 05:32 AM, Paul Hoffman:
At 1:45 AM +0200 12/24/08, Eddy Nigg wrote:
Paul, you are disappointing me! I have not heard one critical word from you
about this incident,
You tried to find this one because this particular reseller tried to steal your
customers in a slimy fashion...
53 matches
Mail list logo
