Re: Improper SSL certificate issuing by CAs

for the information. Verisign OnSite service is allowing sub-CA for corporate. the corporate operator is able to request issueing SSL certificate for there server from VERISIGN ROOT CA. and verisign root ca automatically issues the certificate by the request of company. I think this is one of the

Re: Alerts on TLS Renegotiation

On 3/31/10 5:26 AM, Eddy Nigg wrote: > security.ssl.require_safe_negotiation > > I believe this to be a mistake for various reasons, but first and > foremost because an attack on a server without compromise of the client > data as well, is basically useless. When a attacker induces > ren

Re: Alerts on TLS Renegotiation

On 03/31/2010 05:26 AM, Eddy Nigg wrote: > [ Please follow up to mozilla.dev.tech.crypto ] > > After some discussion at bug 554594 I'm following up here - the bug > was unfortunately misused by me a little for the initial discussion. > > At https://wiki.mozilla.org/Security:Renegotiation under item

Re: Alerts on TLS Renegotiation

On 03/31/2010 06:48 PM, Eddy Nigg: On 03/31/2010 04:45 PM, Kai Engert: == snip quote begin == E.g., the attacker would send: GET /pizza?toppings=pepperoni;address=attackersaddress HTTP/1.1 X-Ignore-This: And the server uses the victim's account to send a pizza to the attacker. ==

Re: Improper SSL certificate issuing by CAs

Eddy Nigg wrote: > On 04/01/2010 02:40 PM, Michael Ströder: >> You could also spend ~5000 EUR and have your own corporate sub-CA issuing >> certs for whatever DNS name you want. > > Which doesn't imply that no domain control validation is performed. Off course everything is covered by contracts.

Re: S/MIME interop issue with Outlook 2010 beta

On 01.04.2010 07:42, Michael Ströder wrote: >> That aspect is covered by the CMS spec, actually. From RFC 5652, section >> 6.2.1: >> >> When an X.509 >> certificate is referenced, the key identifier matches the X.509 >> subjectKeyIdentifier extension value. >> >> IOW, Outlook shou

Re: Improving SSL client auth and bad certificate reporting in non-browser applications

On 26.03.2010 13:44, Gervase Markham wrote: The basic idea is to show an indicator in chrome whenever a site asks for client authentication, and give the user full control over using a personal certificate for authentication (or not using one). The interface should also support persistent confi

Re: Improper SSL certificate issuing by CAs

On 04/01/2010 02:40 PM, Michael Ströder: You could also spend ~5000 EUR and have your own corporate sub-CA issuing certs for whatever DNS name you want. Which doesn't imply that no domain control validation is performed. -- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP:start...@start

Re: Improper SSL certificate issuing by CAs

Kurt Seifried wrote: >> Is this another 1st of April joke? At least your timing is a bit >> questionable ;-) > > No this is not an April fools joke. The PDF at Linux Magazine is what > will be in the print copy (due out in 3 weeks I believe). The reality > is you can trivially buy SSL certificates

Re: Improper SSL certificate issuing by CAs

On 04/01/2010 01:42 PM, Kurt Seifried: Is this another 1st of April joke? At least your timing is a bit questionable ;-) No this is not an April fools joke. The PDF at Linux Magazine is what will be in the print copy (due out in 3 weeks I believe). The reality is you can trivially buy SSL

Re: Improper SSL certificate issuing by CAs

> Is this another 1st of April joke? At least your timing is a bit > questionable ;-) No this is not an April fools joke. The PDF at Linux Magazine is what will be in the print copy (due out in 3 weeks I believe). The reality is you can trivially buy SSL certificates for websites you don't control

Re: Improper SSL certificate issuing by CAs

On 04/01/2010 10:35 AM, ssladministra...@portugalmail.pt: Kurt Seifried here: So I picked a webmail provider at random (sorry portugalmail.pt!) and filled in the account form, taking ssladministrator as the email name. Using this I was then able to buy a secure web certificate for portugalmai

Re: Improper SSL certificate issuing by CAs

On 04/01/2010 10:35 AM, ssladministra...@portugalmail.pt: Kurt Seifried here: So I picked a webmail provider at random (sorry portugalmail.pt!) and filled in the account form, taking ssladministrator as the email name. Using this I was then able to buy a secure web certificate for portugalmai

Re: Improper SSL certificate issuing by CAs

Hi Kurt, Terrific! What's your next step now? Where do you intend to publish it? PS. I know a real person who's name is Marco Polo ;-) Regards Signer: Eddy Nigg, COO/CTO StartCom Ltd. XMPP: start...@startcom.org Blog: Join the Revolution!

Re: Improper SSL certificate issuing by CAs

On Thu, 01 Apr 2010 08:35:28 +0100 ssladministra...@portugalmail.pt wrote: > Kurt Seifried here: > > So I picked a webmail provider at random (sorry portugalmail.pt!) and > filled in the account form, taking ssladministrator as the email name. > Using this I was then able to buy a secure web

Improper SSL certificate issuing by CAs

Kurt Seifried here: So I picked a webmail provider at random (sorry portugalmail.pt!) and filled in the account form, taking ssladministrator as the email name. Using this I was then able to buy a secure web certificate for portugalmail.pt since the verification process is so weak. Here are

Re: Using of HTML keygen element

Wan-Teh Chang wrote: Does anyone know why HTML5 specifies must use the md5WithRSAEncryption signature algorithm? Was the use of MD5 discussed when was standardized in HTML5? Eddy, does your CA accept a SignedPublicKeyAndChallenge (SPKAC) structure signed using sha1WithRSAEncryption? Wan-Teh