info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Pre-cert misissuance
120 views
Skip to first unread message
Gervase Markham
Sep 19, 2015, 10:21:23 AM9/19/15
to mozilla-dev-s...@lists.mozilla.org
Symantec just fired people for mis-issuing a google.com 1-day pre-cert:
http://www.symantec.com/connect/blogs/tough-day-leaders
http://googleonlinesecurity.blogspot.co.uk/2015/09/improved-digital-certificate-security.html
Google: "Our primary consideration in these situations is always the
security and privacy of our users; we currently do not have reason to
believe they were at risk."
Gerv
http://www.symantec.com/connect/blogs/tough-day-leaders
http://googleonlinesecurity.blogspot.co.uk/2015/09/improved-digital-certificate-security.html
Google: "Our primary consideration in these situations is always the
security and privacy of our users; we currently do not have reason to
believe they were at risk."
Gerv
Brian Smith
Sep 19, 2015, 12:30:06 PM9/19/15
to Gervase Markham, mozilla-dev-s...@lists.mozilla.org
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
People have been fired for worse reasons.
Good job, Google!
Cheers,
Brian
--
https://briansmith.org/
Brian Smith
Sep 19, 2015, 2:12:13 PM9/19/15
to Gervase Markham, mozilla-dev-s...@lists.mozilla.org
On Sat, Sep 19, 2015 at 7:20 AM, Gervase Markham <ge...@mozilla.org> wrote:
> Symantec just fired people for mis-issuing a google.com 1-day pre-cert:
>
By the way, Symantec didn't say "pre-cert," they said "certificates".
> Symantec just fired people for mis-issuing a google.com 1-day pre-cert:
>
Also, I we shouldn't be splitting hairs at the difference between
pre-certificates and certificates as far as mis-issuance detection is
concerned. If people think there is a meaningful (technical, legal, etc.)
distinction between a pre-certificate being logged via CT and the
corresponding certificate being logged in CT, then we should consider
removing the pre-certificate mechanism from CT so that there's no doubts in
that. My view is that there is no meaningful difference.
Cheers,
Brian
Richard Barnes
Sep 19, 2015, 5:06:23 PM9/19/15
to Brian Smith, mozilla-dev-s...@lists.mozilla.org, Gervase Markham
On Sat, Sep 19, 2015 at 2:12 PM, Brian Smith <br...@briansmith.org> wrote:
> On Sat, Sep 19, 2015 at 7:20 AM, Gervase Markham <ge...@mozilla.org> wrote:
>
> > Symantec just fired people for mis-issuing a google.com 1-day pre-cert:
> >
>
> By the way, Symantec didn't say "pre-cert," they said "certificates".
>
Well, a "pre-cert" is just a certificate with the poison extension in it.
> On Sat, Sep 19, 2015 at 7:20 AM, Gervase Markham <ge...@mozilla.org> wrote:
>
> > Symantec just fired people for mis-issuing a google.com 1-day pre-cert:
> >
>
> By the way, Symantec didn't say "pre-cert," they said "certificates".
>
--Richard
>
> Also, I we shouldn't be splitting hairs at the difference between
> pre-certificates and certificates as far as mis-issuance detection is
> concerned. If people think there is a meaningful (technical, legal, etc.)
> distinction between a pre-certificate being logged via CT and the
> corresponding certificate being logged in CT, then we should consider
> removing the pre-certificate mechanism from CT so that there's no doubts in
> that. My view is that there is no meaningful difference.
>
> Cheers,
> Brian
Phillip Hallam-Baker
Sep 19, 2015, 5:34:00 PM9/19/15
to Richard Barnes, Gervase Markham, mozilla-dev-s...@lists.mozilla.org, Brian Smith
Before this goes too far. Perhaps we should have an in person meeting on
how to deal with this down in the valley and do a review on ACME at the
same time. These being somewhat linked.
The controls Tim Mather and co brought over from the NSA worked well for 20
years but it looks like they have been eroded. At this point we are on the
brink of a technology transition to ECC and also deploying CT.
There are options on the table today that we did not know existed in 1995.
how to deal with this down in the valley and do a review on ACME at the
same time. These being somewhat linked.
The controls Tim Mather and co brought over from the NSA worked well for 20
years but it looks like they have been eroded. At this point we are on the
brink of a technology transition to ECC and also deploying CT.
There are options on the table today that we did not know existed in 1995.
Rob Stradling
Sep 21, 2015, 3:08:23 AM9/21/15
to Brian Smith, Gervase Markham, mozilla-dev-s...@lists.mozilla.org
On 19/09/15 19:12, Brian Smith wrote:
> On Sat, Sep 19, 2015 at 7:20 AM, Gervase Markham <ge...@mozilla.org> wrote:
>
>> Symantec just fired people for mis-issuing a google.com 1-day pre-cert:
>
> By the way, Symantec didn't say "pre-cert," they said "certificates".
>
> On Sat, Sep 19, 2015 at 7:20 AM, Gervase Markham <ge...@mozilla.org> wrote:
>
>> Symantec just fired people for mis-issuing a google.com 1-day pre-cert:
>
> By the way, Symantec didn't say "pre-cert," they said "certificates".
>
> Also, I we shouldn't be splitting hairs at the difference between
> pre-certificates and certificates as far as mis-issuance detection is
> concerned. If people think there is a meaningful (technical, legal, etc.)
> distinction between a pre-certificate being logged via CT and the
> corresponding certificate being logged in CT, then we should consider
> removing the pre-certificate mechanism from CT so that there's no doubts in
> that. My view is that there is no meaningful difference.
There is no meaningful difference. Anyone who thinks otherwise has not
> pre-certificates and certificates as far as mis-issuance detection is
> concerned. If people think there is a meaningful (technical, legal, etc.)
> distinction between a pre-certificate being logged via CT and the
> corresponding certificate being logged in CT, then we should consider
> removing the pre-certificate mechanism from CT so that there's no doubts in
> that. My view is that there is no meaningful difference.
read RFC6962 Section 3.1 properly. It says the following about
precertificate (mis)issuance...
"The signature on the TBSCertificate indicates the certificate
authority's intent to issue a certificate. This intent is considered
binding (i.e., misissuance of the Precertificate is considered equal
to misissuance of the final certificate)."
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Gervase Markham
Sep 21, 2015, 1:07:37 PM9/21/15
to Brian Smith
On 19/09/15 19:12, Brian Smith wrote:
> On Sat, Sep 19, 2015 at 7:20 AM, Gervase Markham <ge...@mozilla.org> wrote:
>
>> Symantec just fired people for mis-issuing a google.com 1-day pre-cert:
>
> By the way, Symantec didn't say "pre-cert," they said "certificates".
>
> Also, I we shouldn't be splitting hairs at the difference between
> pre-certificates and certificates as far as mis-issuance detection is
> concerned.
I wasn't particularly splitting hairs. It was a pre-cert, so I said
>
>> Symantec just fired people for mis-issuing a google.com 1-day pre-cert:
>
> By the way, Symantec didn't say "pre-cert," they said "certificates".
>
> Also, I we shouldn't be splitting hairs at the difference between
> pre-certificates and certificates as far as mis-issuance detection is
> concerned.
"pre-cert". That wasn't intended to imply that it was no big deal.
Gerv
0 new messages