Amusing?
Eddy Nigg
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
Walter...@rsa.com
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
Eddy Nigg
> Very sad. At least the key itself is encrypted...
I guess a little bash script would do wonders to that key ;-)
John Wilander
should *not* be public on the web server.
/John
2011/6/9 Eddy Nigg <eddy...@startcom.org>
> On 06/09/2011 01:01 AM, From Walter...@rsa.com:
>
> Very sad. At least the key itself is encrypted...
>>
>
> I guess a little bash script would do wonders to that key ;-)
>
>
> --
> Regards
>
> Signer: Eddy Nigg, StartCom Ltd.
> XMPP: star...@startcom.org
> Blog: http://blog.startcom.org/
> Twitter: http://twitter.com/eddy_nigg
>
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
--
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee<http://owaspsweden.blogspot.com>
Eddy Nigg
> Paul Crowley (@ciphergoth) claims he checked it and it's expired. Anyway,
> should *not* be public on the web server.
True. Still, who knows for how long it has been there? Anyway, it's kind
of amusing to see a CA publish its keys on the web, even if it's "just"
for their web site. Considering that this site is supposed to secure the
connection to a site that issues certificates.... :-)
Eddy Nigg
> True. Still, who knows for how long it has been there? Anyway, it's
> kind of amusing to see a CA publish its keys on the web, even if it's
> "just" for their web site. Considering that this site is supposed to
> secure the connection to a site that issues certificates.... :-)
>
According to the last modified time-stamp it's been there since 28-May-2009
Eddy Nigg
> kind of amusing to see a CA publish its keys on the web, even if it's
> "just" for their web site. Considering that this site is supposed to
> secure the connection to a site that issues certificates.... :-)
>
According to the last modified time-stamp it's been there since 28-May-2009
--
Peter Gutmann
>Very sad. At least the key itself is encrypted...
Brute-forcing it right now. Stand by.
(Looks like Achmed will get his CA after all :-).
Peter.
Erwann Abalea
One more CA to deactivate on my machines.
Erwann Abalea
Eddy Nigg
> A 1024 bits RSA key, a certificate signed with SHA1, and a sequential serial number. So far, so good.
> One more CA to deactivate on my machines.
Actually I couldn't find it in the Authorities tab. It's included
according to
http://www.mozilla.org/projects/security/certs/included/#Certigna%20of%20Dhimyotis
but can't locate it in FF4.
Franck Leroy
Erwann you can remove it, they do not sell anything ;-)
Franck, from my android.
Jan Schejbal
> a certificate signed with SHA1, and a sequential serial number
Where is the problem with that? I thought SHA1 is still the standard and
only MD5 is vulnerable.
All the 1024 bit CAs are making me a bit worried, though.
Kind regards,
Jan
--
Please avoid sending mails, use the group instead.
If you really need to send me an e-mail, mention "FROM NG"
in the subject line, otherwise my spam filter will delete your mail.
Sorry for the inconvenience, thank the spammers...
Erwann Abalea
> Am 2011-06-09 12:57, schrieb Erwann Abalea:
> > a certificate signed with SHA1, and a sequential serial number
>
> Where is the problem with that? I thought SHA1 is still the standard and
> only MD5 is vulnerable.
Mozilla, Opera, and Microsoft require some random bits in the serial number. A predictible serial number is a problem with a non collision resistant hash function (such as MD5, and maybe SHA1 in a near future). Having randomness in the serial number allows the CA to still use such a hash function securely to produce certificates.
Consider this as a free seat belt, put in evidence in 2004.
> All the 1024 bit CAs are making me a bit worried, though.
There shouldn't be any left. Do you still have some in your certificate store?
Erwann Abalea
> > a certificate signed with SHA1, and a sequential serial number
>
> Where is the problem with that? I thought SHA1 is still the standard and
> only MD5 is vulnerable.
Mozilla, Opera, and Microsoft require some random bits in the serial number. A predictible serial number is a problem with a non collision resistant hash function (such as MD5, and maybe SHA1 in a near future). Having randomness in the serial number allows the CA to still use such a hash function securely to produce certificates.
Consider this as a free seat belt, put in evidence in 2004.
> All the 1024 bit CAs are making me a bit worried, though.
There shouldn't be any left. Do you still have some in your certificate store?
Walter...@rsa.com
OU = DSTCA E1
O = Digital Signature Trust Co.
C = US
> -----Original Message-----
> From: dev-security-policy-bounces+walter.goulet=rsa...@lists.mozilla.org
> [mailto:dev-security-policy-
> bounces+walter.goulet=rsa...@lists.mozilla.org] On Behalf Of Erwann
> Abalea
> Sent: Friday, June 10, 2011 11:55 AM
> To: mozilla-dev-s...@lists.mozilla.org
> Cc: mozilla-dev-s...@lists.mozilla.org;
jan.sche...@gmx.de
> Subject: Re : Re: Re : Amusing?
>
> Le vendredi 10 juin 2011 17:24:01 UTC+2, Jan Schejbal a écrit :
> > Am 2011-06-09 12:57, schrieb Erwann Abalea:
> > > a certificate signed with SHA1, and a sequential serial number
> >
> > Where is the problem with that? I thought SHA1 is still the standard
> > and only MD5 is vulnerable.
>
> Mozilla, Opera, and Microsoft require some random bits in the serial
number.
> A predictible serial number is a problem with a non collision resistant
hash
> function (such as MD5, and maybe SHA1 in a near future). Having
> randomness in the serial number allows the CA to still use such a hash
> function securely to produce certificates.
> Consider this as a free seat belt, put in evidence in 2004.
>
> > All the 1024 bit CAs are making me a bit worried, though.
>
> There shouldn't be any left. Do you still have some in your certificate
store?
Eddy Nigg
> I have FF4.0.1 and there is at least 1 1024 bit CA in my certificate store.
Is this a Builtin Object? I suspect not...
Walter...@rsa.com
message got held up in moderator queue). In any case, I thought that 1024
bit root CA certs weren’t scheduled to be removed from NSS until Dec 2013
based on earlier discussions? Was that date pulled in?
> -----Original Message-----
> From: dev-security-policy-bounces+walter.goulet=rsa...@lists.mozilla.org
> [mailto:dev-security-policy-
> bounces+walter.goulet=rsa...@lists.mozilla.org] On Behalf Of Eddy Nigg
> Sent: Friday, June 10, 2011 1:12 PM
> To: mozilla-dev-s...@lists.mozilla.org
> Subject: Re: Re : Re: Re : Amusing?
>
> On 06/10/2011 08:43 PM, From Walter...@rsa.com:
> > I have FF4.0.1 and there is at least 1 1024 bit CA in my certificate
store.
>
> Is this a Builtin Object? I suspect not...
>
> --
> Regards
>
> Signer: Eddy Nigg, StartCom Ltd.
> XMPP: star...@startcom.org
> Blog: http://blog.startcom.org/
> Twitter: http://twitter.com/eddy_nigg
>
Eddy Nigg
> It's definitely built in; I have a screen shot I can send offlist (my first message got held up in moderator queue). In any case, I thought that 1024 bit root CA certs weren’t scheduled to be removed from NSS until Dec 2013 based on earlier discussions? Was that date pulled in?
I'm not sure about the scedule, hopefully Kathleen has this one already
on her radar.
Eddy Nigg
I'm not sure about the schedule, hopefully Kathleen has this one already
on her radar.
--
Walter...@rsa.com
doesn’t strip it out). In any case, I thought that 1024 bit root CA certs
weren’t scheduled to be removed from NSS until Dec 2013?
> -----Original Message-----
> From: dev-security-policy-bounces+walter.goulet=rsa...@lists.mozilla.org
> [mailto:dev-security-policy-
> bounces+walter.goulet=rsa...@lists.mozilla.org] On Behalf Of Eddy Nigg
> Sent: Friday, June 10, 2011 1:12 PM
> To: mozilla-dev-s...@lists.mozilla.org
> Subject: Re: Re : Re: Re : Amusing?
>
> On 06/10/2011 08:43 PM, From <mailto:Walter...@rsa.com>
Walter...@rsa.com:
> > I have FF4.0.1 and there is at least 1 1024 bit CA in my certificate
store.
>
> Is this a Builtin Object? I suspect not...
>
> --
> Regards
>
> Signer: Eddy Nigg, StartCom Ltd.
> XMPP: <mailto:star...@startcom.org> star...@startcom.org
> Blog: <http://blog.startcom.org/>
http://blog.startcom.org/
> Twitter: <http://twitter.com/eddy_nigg> http://twitter.com/eddy_nigg
>
> _______________________________________________
> dev-security-policy mailing list
> <mailto:dev-secur...@lists.mozilla.org>
dev-secur...@lists.mozilla.org
> <https://lists.mozilla.org/listinfo/dev-security-policy>
https://lists.mozilla.org/listinfo/dev-security-policy
Erwann Abalea
> On 06/10/2011 08:43 PM, From Walter...@rsa.com:
> > I have FF4.0.1 and there is at least 1 1024 bit CA in my certificate store.
>
> Is this a Builtin Object? I suspect not...
I downloaded the source code and checked, this CA is a bundled one. On Firefox 3.6 also.
Strange it doesn't appear in the following list:
http://www.mozilla.org/projects/security/certs/included/
But it exists in the linked spreadsheet.
Erwann Abalea
> > I have FF4.0.1 and there is at least 1 1024 bit CA in my certificate store.
>
> Is this a Builtin Object? I suspect not...
I downloaded the source code and checked, this CA is a bundled one. On Firefox 3.6 also.
Kathleen Wilson
Yannick, CTO Certigna
website on June 9.
We responded and issued a notice on our site : http://www.certigna.fr/archives/2995
There is no damage for the Certigna root, sub-CAs, or end-user
certificates.
The key was an old (expired since July 2010) test key for our website.
ALL our authority keys are inside HSM !
Our root CA and all our subCAs are 2048 bits.
And much of our end-users certificates are now 2048 bits with SHA-256.
Some messages are posted by our french competitors… no comment.
Best Regards,
Erwann Abalea
> Everything comes from a "strange" article published on an English
> website on June 9.
> We responded and issued a notice on our site : http://www.certigna.fr/archives/2995
>
> There is no damage for the Certigna root, sub-CAs, or end-user
> certificates.
> The key was an old (expired since July 2010) test key for our website.
>
> ALL our authority keys are inside HSM !
I'm confident this private key is not a CA key, and that your CA keys are all in HSMs.
Whether it's old, expired or a test one is irrelevant here. It's a private key. And it should have been kept secret. On one hand, failures can happen, the key was encrypted, and it may have been an unimportant key (but unless it's been decrypted, we can't be certain of that). On the other hand, your business turns around PKI, cryptography, private key management, and that kind of error, even if the key is unimportant, lifts up some doubts on your procedures.
> Our root CA and all our subCAs are 2048 bits.
> And much of our end-users certificates are now 2048 bits with SHA-256.
But not your website's. And I insist, SHA1 is still permitted (after all, the SHA2 family is not always usable, and no SHA1 collision has been exhibited yet), but there's no reason to use a predictable serial number. You're not following Opera, Microsoft, and Mozilla rules on this point.
> Some messages are posted by our french competitors… no comment.
And so what? We're pretty all working for competitors, and some people post here under their private identity (as I do, because I'm personally interested in cryptography, and this interest started nearly 30 years ago).
Criticism is the rule here, you should have noticed it when you applied for inclusion into the Mozilla CA list. Criticism doesn't not stop when your CA is included, as recent events show; I'm thinking about Comodo, I find that Rob Stradling did a good job facing far more offensive threads than this one.
Criticizing is not bashing or trolling. Comodo events just led to more work on CA/RA policies, work done on MD2/4/5 by Chinese researchers in 2004 led to enhancements in CA practices (that's where the requirements for random serial numbers come from), critics against Izenpe OCSP responders pushed them to implement compliant designs. I'm sure you can find more examples.
BTW (for other readers), I work for one of the "french competitors".
--
Erwann.
Erwann Abalea
> website on June 9.
> We responded and issued a notice on our site : http://www.certigna.fr/archives/2995
>
> There is no damage for the Certigna root, sub-CAs, or end-user
> certificates.
> The key was an old (expired since July 2010) test key for our website.
>
> ALL our authority keys are inside HSM !
I'm confident this private key is not a CA key, and that your CA keys are all in HSMs.
Whether it's old, expired or a test one is irrelevant here. It's a private key. And it should have been kept secret. On one hand, failures can happen, the key was encrypted, and it may have been an unimportant key (but unless it's been decrypted, we can't be certain of that). On the other hand, your business turns around PKI, cryptography, private key management, and that kind of error, even if the key is unimportant, lifts up some doubts on your procedures.
> Our root CA and all our subCAs are 2048 bits.
> And much of our end-users certificates are now 2048 bits with SHA-256.
But not your website's. And I insist, SHA1 is still permitted (after all, the SHA2 family is not always usable, and no SHA1 collision has been exhibited yet), but there's no reason to use a predictable serial number. You're not following Opera, Microsoft, and Mozilla rules on this point.
> Some messages are posted by our french competitors… no comment.
And so what? We're pretty all working for competitors, and some people post here under their private identity (as I do, because I'm personally interested in cryptography, and this interest started nearly 30 years ago).
Erwann Abalea
> On 6/13/11 3:03 AM, Erwann Abalea wrote:
> > Le vendredi 10 juin 2011 20:11:57 UTC+2, Eddy Nigg a écrit :
> >>> I have FF4.0.1 and there is at least 1 1024 bit CA in my certificate store.
> >>
> >> Is this a Builtin Object? I suspect not...
> >
> > I downloaded the source code and checked, this CA is a bundled one. On Firefox 3.6 also.
> >
> > Strange it doesn't appear in the following list:
> > http://www.mozilla.org/projects/security/certs/included/
> >
> > But it exists in the linked spreadsheet.
> >
>
> It's here:
>
> http://www.mozilla.org/projects/security/certs/included/#Certigna%20of%20Dhimyotis
Walter was talking about the CA named
OU = DSTCA E1
O = Digital Signature Trust Co.
C = US
2 of them exist in Firefox source code, also in the spreadsheet, but not on the simple web page.
Erwann Abalea
> > Le vendredi 10 juin 2011 20:11:57 UTC+2, Eddy Nigg a écrit :
> >>> I have FF4.0.1 and there is at least 1 1024 bit CA in my certificate store.
> >>
> >> Is this a Builtin Object? I suspect not...
> >
> > I downloaded the source code and checked, this CA is a bundled one. On Firefox 3.6 also.
> >
> > Strange it doesn't appear in the following list:
> > http://www.mozilla.org/projects/security/certs/included/
> >
> > But it exists in the linked spreadsheet.
> >
>
> It's here:
>
> http://www.mozilla.org/projects/security/certs/included/#Certigna%20of%20Dhimyotis
Walter was talking about the CA named
Kathleen Wilson
> Le lundi 13 juin 2011 19:31:17 UTC+2, Kathleen Wilson a �crit :
>> On 6/13/11 3:03 AM, Erwann Abalea wrote:
>>>> On 06/10/2011 08:43 PM, From Walt...@rsa.com:
>>>>> I have FF4.0.1 and there is at least 1 1024 bit CA in my certificate store.
>>>>
>>>> Is this a Builtin Object? I suspect not...
>>>
>>> I downloaded the source code and checked, this CA is a bundled one. On Firefox 3.6 also.
>>>
>>> Strange it doesn't appear in the following list:
>>> http://www.mozilla.org/projects/security/certs/included/
>>>
>>> But it exists in the linked spreadsheet.
>>>
>>
>> It's here:
>>
>> http://www.mozilla.org/projects/security/certs/included/#Certigna%20of%20Dhimyotis
>
> Walter was talking about the CA named
>
> OU = DSTCA E1
> O = Digital Signature Trust Co.
> C = US
>
> 2 of them exist in Firefox source code, also in the spreadsheet, but not on the simple web page.
Yes, there are two Identrust roots in NSS that were added before March
1, 2007, so they are not listed in the included page at
http://www.mozilla.org/projects/security/certs/included/
As stated at the top of the simple web page: "This is a list of
companies and certificates included in the Mozilla project Root CA store
after March 1st, 2007. This list represents the information that was
considered when the CA applied for inclusion of their root."
Kathleen
Yannick, CTO Certigna
> Whether it's old......it should have been kept secret. ........your business turns around PKI, cryptography........... even if the key is unimportant, lifts up some doubts on your procedures.
- About our procedures : we have the same standards (french RGS and ETSI) and auditors as yours, so I hope they are reasonably good. But we are constantly trying to improve them.
- About this incident : I agree that this key wouldn't be there. A mistake + a severe warning (buzz ?) from the web. So we work to enhance and extend the scope of our procedures.
> > Our root CA and all our subCAs are 2048 bits.
> > And much of our end-users certificates are now 2048 bits with SHA-256.
> But not your website's. And I insist, SHA1 is still permitted..........but there's no reason to use a predictable serial number.
- Yes, our website is with a SHA-1 certificate. It was for compatibility with Windows XP sp2 and IE. SSL is required only in the customer area accessed with a mutual authentication. A new website is coming soon.
- About the serial numbers : we made the change. It is being tested and it will be effective beginning july.
> And so what? We're pretty all working for competitors, ......... I'm personally interested in cryptography, ........ Criticism is the rule here, you should have noticed it when you applied for inclusion into the Mozilla CA list. Criticism doesn't not stop when your CA is included,........Criticizing is not bashing or trolling.
I agree with all of that. Criticizing makes us move forward. But I don't see messages like #4 or #5 as constructive criticism !
> Comodo events just led to more work on CA/RA policies, work done on MD2/4/5 by Chinese researchers............ I'm sure you can find more examples.
That's the right way "state of the art" progresses.
Yannick
Jean-Marc Desperrier
>>> O = Digital Signature Trust Co.
>>> C = US
>> first message got held up in moderator queue). In any case, I thought
>> that 1024 bit root CA certs weren’t scheduled to be removed from NSS
>> until Dec 2013 based on earlier discussions? Was that date pulled in?
>
> I'm not sure about the schedule, hopefully Kathleen has this one already
> on her radar.
It could useful to check in the SSL observatory how many certificates
actually use this CA.