--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
I guess a little bash script would do wonders to that key ;-)
/John
2011/6/9 Eddy Nigg <eddy...@startcom.org>
> On 06/09/2011 01:01 AM, From Walter...@rsa.com:
>
> Very sad. At least the key itself is encrypted...
>>
>
> I guess a little bash script would do wonders to that key ;-)
>
>
> --
> Regards
>
> Signer: Eddy Nigg, StartCom Ltd.
> XMPP: star...@startcom.org
> Blog: http://blog.startcom.org/
> Twitter: http://twitter.com/eddy_nigg
>
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
--
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee<http://owaspsweden.blogspot.com>
True. Still, who knows for how long it has been there? Anyway, it's kind
of amusing to see a CA publish its keys on the web, even if it's "just"
for their web site. Considering that this site is supposed to secure the
connection to a site that issues certificates.... :-)
According to the last modified time-stamp it's been there since 28-May-2009
According to the last modified time-stamp it's been there since 28-May-2009
--
>Very sad. At least the key itself is encrypted...
Brute-forcing it right now. Stand by.
(Looks like Achmed will get his CA after all :-).
Peter.
Actually I couldn't find it in the Authorities tab. It's included
according to
http://www.mozilla.org/projects/security/certs/included/#Certigna%20of%20Dhimyotis
but can't locate it in FF4.
Erwann you can remove it, they do not sell anything ;-)
Franck, from my android.
Where is the problem with that? I thought SHA1 is still the standard and
only MD5 is vulnerable.
All the 1024 bit CAs are making me a bit worried, though.
Kind regards,
Jan
--
Please avoid sending mails, use the group instead.
If you really need to send me an e-mail, mention "FROM NG"
in the subject line, otherwise my spam filter will delete your mail.
Sorry for the inconvenience, thank the spammers...
Mozilla, Opera, and Microsoft require some random bits in the serial number. A predictible serial number is a problem with a non collision resistant hash function (such as MD5, and maybe SHA1 in a near future). Having randomness in the serial number allows the CA to still use such a hash function securely to produce certificates.
Consider this as a free seat belt, put in evidence in 2004.
> All the 1024 bit CAs are making me a bit worried, though.
There shouldn't be any left. Do you still have some in your certificate store?
Mozilla, Opera, and Microsoft require some random bits in the serial number. A predictible serial number is a problem with a non collision resistant hash function (such as MD5, and maybe SHA1 in a near future). Having randomness in the serial number allows the CA to still use such a hash function securely to produce certificates.
Consider this as a free seat belt, put in evidence in 2004.
> All the 1024 bit CAs are making me a bit worried, though.
There shouldn't be any left. Do you still have some in your certificate store?
OU = DSTCA E1
O = Digital Signature Trust Co.
C = US
> -----Original Message-----
> From: dev-security-policy-bounces+walter.goulet=rsa...@lists.mozilla.org
> [mailto:dev-security-policy-
> bounces+walter.goulet=rsa...@lists.mozilla.org] On Behalf Of Erwann
> Abalea
> Sent: Friday, June 10, 2011 11:55 AM
> To: mozilla-dev-s...@lists.mozilla.org
> Cc: mozilla-dev-s...@lists.mozilla.org;
jan.sche...@gmx.de
> Subject: Re : Re: Re : Amusing?
>
> Le vendredi 10 juin 2011 17:24:01 UTC+2, Jan Schejbal a écrit :
> > Am 2011-06-09 12:57, schrieb Erwann Abalea:
> > > a certificate signed with SHA1, and a sequential serial number
> >
> > Where is the problem with that? I thought SHA1 is still the standard
> > and only MD5 is vulnerable.
>
> Mozilla, Opera, and Microsoft require some random bits in the serial
number.
> A predictible serial number is a problem with a non collision resistant
hash
> function (such as MD5, and maybe SHA1 in a near future). Having
> randomness in the serial number allows the CA to still use such a hash
> function securely to produce certificates.
> Consider this as a free seat belt, put in evidence in 2004.
>
> > All the 1024 bit CAs are making me a bit worried, though.
>
> There shouldn't be any left. Do you still have some in your certificate
store?
Is this a Builtin Object? I suspect not...
> -----Original Message-----
> From: dev-security-policy-bounces+walter.goulet=rsa...@lists.mozilla.org
> [mailto:dev-security-policy-
> bounces+walter.goulet=rsa...@lists.mozilla.org] On Behalf Of Eddy Nigg
> Sent: Friday, June 10, 2011 1:12 PM
> To: mozilla-dev-s...@lists.mozilla.org
> Subject: Re: Re : Re: Re : Amusing?
>
> On 06/10/2011 08:43 PM, From Walter...@rsa.com:
> > I have FF4.0.1 and there is at least 1 1024 bit CA in my certificate
store.
>
> Is this a Builtin Object? I suspect not...
>
> --
> Regards
>
> Signer: Eddy Nigg, StartCom Ltd.
> XMPP: star...@startcom.org
> Blog: http://blog.startcom.org/
> Twitter: http://twitter.com/eddy_nigg
>
I'm not sure about the scedule, hopefully Kathleen has this one already
on her radar.
I'm not sure about the schedule, hopefully Kathleen has this one already
on her radar.
--
> -----Original Message-----
> From: dev-security-policy-bounces+walter.goulet=rsa...@lists.mozilla.org
> [mailto:dev-security-policy-
> bounces+walter.goulet=rsa...@lists.mozilla.org] On Behalf Of Eddy Nigg
> Sent: Friday, June 10, 2011 1:12 PM
> To: mozilla-dev-s...@lists.mozilla.org
> Subject: Re: Re : Re: Re : Amusing?
>
> On 06/10/2011 08:43 PM, From <mailto:Walter...@rsa.com>
Walter...@rsa.com:
> > I have FF4.0.1 and there is at least 1 1024 bit CA in my certificate
store.
>
> Is this a Builtin Object? I suspect not...
>
> --
> Regards
>
> Signer: Eddy Nigg, StartCom Ltd.
> XMPP: <mailto:star...@startcom.org> star...@startcom.org
> Blog: <http://blog.startcom.org/>
http://blog.startcom.org/
> Twitter: <http://twitter.com/eddy_nigg> http://twitter.com/eddy_nigg
>
> _______________________________________________
> dev-security-policy mailing list
> <mailto:dev-secur...@lists.mozilla.org>
dev-secur...@lists.mozilla.org
> <https://lists.mozilla.org/listinfo/dev-security-policy>
https://lists.mozilla.org/listinfo/dev-security-policy
I downloaded the source code and checked, this CA is a bundled one. On Firefox 3.6 also.
Strange it doesn't appear in the following list:
http://www.mozilla.org/projects/security/certs/included/
But it exists in the linked spreadsheet.
I downloaded the source code and checked, this CA is a bundled one. On Firefox 3.6 also.
There is no damage for the Certigna root, sub-CAs, or end-user
certificates.
The key was an old (expired since July 2010) test key for our website.
ALL our authority keys are inside HSM !
Our root CA and all our subCAs are 2048 bits.
And much of our end-users certificates are now 2048 bits with SHA-256.
Some messages are posted by our french competitors… no comment.
Best Regards,
I'm confident this private key is not a CA key, and that your CA keys are all in HSMs.
Whether it's old, expired or a test one is irrelevant here. It's a private key. And it should have been kept secret. On one hand, failures can happen, the key was encrypted, and it may have been an unimportant key (but unless it's been decrypted, we can't be certain of that). On the other hand, your business turns around PKI, cryptography, private key management, and that kind of error, even if the key is unimportant, lifts up some doubts on your procedures.
> Our root CA and all our subCAs are 2048 bits.
> And much of our end-users certificates are now 2048 bits with SHA-256.
But not your website's. And I insist, SHA1 is still permitted (after all, the SHA2 family is not always usable, and no SHA1 collision has been exhibited yet), but there's no reason to use a predictable serial number. You're not following Opera, Microsoft, and Mozilla rules on this point.
> Some messages are posted by our french competitors… no comment.
And so what? We're pretty all working for competitors, and some people post here under their private identity (as I do, because I'm personally interested in cryptography, and this interest started nearly 30 years ago).
Criticism is the rule here, you should have noticed it when you applied for inclusion into the Mozilla CA list. Criticism doesn't not stop when your CA is included, as recent events show; I'm thinking about Comodo, I find that Rob Stradling did a good job facing far more offensive threads than this one.
Criticizing is not bashing or trolling. Comodo events just led to more work on CA/RA policies, work done on MD2/4/5 by Chinese researchers in 2004 led to enhancements in CA practices (that's where the requirements for random serial numbers come from), critics against Izenpe OCSP responders pushed them to implement compliant designs. I'm sure you can find more examples.
BTW (for other readers), I work for one of the "french competitors".
--
Erwann.
I'm confident this private key is not a CA key, and that your CA keys are all in HSMs.
Whether it's old, expired or a test one is irrelevant here. It's a private key. And it should have been kept secret. On one hand, failures can happen, the key was encrypted, and it may have been an unimportant key (but unless it's been decrypted, we can't be certain of that). On the other hand, your business turns around PKI, cryptography, private key management, and that kind of error, even if the key is unimportant, lifts up some doubts on your procedures.
> Our root CA and all our subCAs are 2048 bits.
> And much of our end-users certificates are now 2048 bits with SHA-256.
But not your website's. And I insist, SHA1 is still permitted (after all, the SHA2 family is not always usable, and no SHA1 collision has been exhibited yet), but there's no reason to use a predictable serial number. You're not following Opera, Microsoft, and Mozilla rules on this point.
> Some messages are posted by our french competitors… no comment.
And so what? We're pretty all working for competitors, and some people post here under their private identity (as I do, because I'm personally interested in cryptography, and this interest started nearly 30 years ago).
Walter was talking about the CA named
OU = DSTCA E1
O = Digital Signature Trust Co.
C = US
2 of them exist in Firefox source code, also in the spreadsheet, but not on the simple web page.
Walter was talking about the CA named
Yes, there are two Identrust roots in NSS that were added before March
1, 2007, so they are not listed in the included page at
http://www.mozilla.org/projects/security/certs/included/
As stated at the top of the simple web page: "This is a list of
companies and certificates included in the Mozilla project Root CA store
after March 1st, 2007. This list represents the information that was
considered when the CA applied for inclusion of their root."
Kathleen
> Whether it's old......it should have been kept secret. ........your business turns around PKI, cryptography........... even if the key is unimportant, lifts up some doubts on your procedures.
- About our procedures : we have the same standards (french RGS and ETSI) and auditors as yours, so I hope they are reasonably good. But we are constantly trying to improve them.
- About this incident : I agree that this key wouldn't be there. A mistake + a severe warning (buzz ?) from the web. So we work to enhance and extend the scope of our procedures.
> > Our root CA and all our subCAs are 2048 bits.
> > And much of our end-users certificates are now 2048 bits with SHA-256.
> But not your website's. And I insist, SHA1 is still permitted..........but there's no reason to use a predictable serial number.
- Yes, our website is with a SHA-1 certificate. It was for compatibility with Windows XP sp2 and IE. SSL is required only in the customer area accessed with a mutual authentication. A new website is coming soon.
- About the serial numbers : we made the change. It is being tested and it will be effective beginning july.
> And so what? We're pretty all working for competitors, ......... I'm personally interested in cryptography, ........ Criticism is the rule here, you should have noticed it when you applied for inclusion into the Mozilla CA list. Criticism doesn't not stop when your CA is included,........Criticizing is not bashing or trolling.
I agree with all of that. Criticizing makes us move forward. But I don't see messages like #4 or #5 as constructive criticism !
> Comodo events just led to more work on CA/RA policies, work done on MD2/4/5 by Chinese researchers............ I'm sure you can find more examples.
That's the right way "state of the art" progresses.
Yannick
It could useful to check in the SSL observatory how many certificates
actually use this CA.