|
Subjunctive posted:someone at work today asked if we should join CA/BF because we do a lot of stuff with certs and why not, and I eventually became relatively sure that they aren’t Wayne ironically, I’d laugh if the adventures of secfuck and CA/B means that everyone here takes a deeper interest in CA/B and brings it back to our respective orgs to push for better standards
|
# ? Apr 18, 2024 22:24 |
|
|
# ? May 3, 2024 07:04 |
|
Subjunctive posted:someone at work today asked if we should join CA/BF because we do a lot of stuff with certs and why not, and I eventually became relatively sure that they aren’t Wayne Come along, you can join us in fun places like Bergamo and Seattle.
|
# ? Apr 18, 2024 22:27 |
|
Raymond T. Racing posted:ironically, I’d laugh if the adventures of secfuck and CA/B means that everyone here takes a deeper interest in CA/B and brings it back to our respective orgs to push for better standards we’re definitely not renewing our BIMI cert with Entrust when it expires! one down!
|
# ? Apr 18, 2024 22:28 |
|
the adventures of secfuck and ca/b
|
# ? Apr 18, 2024 22:35 |
|
BIMI sounds an awful lot like EV but for email.
|
# ? Apr 18, 2024 22:35 |
|
spankmeister posted:BIMI sounds an awful lot like EV but for email. except there's more support for BIMI than EV
|
# ? Apr 18, 2024 22:49 |
|
spankmeister posted:BIMI sounds an awful lot like EV but for email. yep sure does but it actually shows up in UI
|
# ? Apr 18, 2024 23:00 |
|
spankmeister posted:BIMI sounds an awful lot like EV but for email.
|
# ? Apr 19, 2024 01:55 |
|
Wiggly Wayne DDS posted:you can guess who's been pushing for EV to be a more generic validation mechanism to be put on top of any type of certificate... https://bimigroup.org/vmc-issuers/ ding ding ding!
|
# ? Apr 19, 2024 02:01 |
|
of course they're doing well already with their VMC. https://bugzilla.mozilla.org/show_bug.cgi?id=1802916 quote:Why did it take so long to discover the problematic EV certificates?
|
# ? Apr 19, 2024 02:09 |
|
p0 put out a good series on the windows registry and lpes: https://googleprojectzero.blogspot.com/2024/04/the-windows-registry-adventure-1.html https://googleprojectzero.blogspot.com/2024/04/the-windows-registry-adventure-2.html
|
# ? Apr 19, 2024 02:44 |
|
Subjunctive posted:I dunno who’s fuzzing the Postgres protocol handler but I bet they aren’t using exactly the same config as you are yeah, i was just thinking that a bunch of three letter agencies are definitely sitting on a bunch of postgres vulns
|
# ? Apr 19, 2024 03:15 |
|
redleader posted:yeah, i was just thinking that a bunch of three letter agencies are definitely sitting on a bunch of postgres vulns clearly everyone should just switch back to my
|
# ? Apr 19, 2024 04:34 |
|
Quackles posted:clearly everyone should just switch back to my your what
|
# ? Apr 19, 2024 04:53 |
|
Shame Boy posted:your what my sql
|
# ? Apr 19, 2024 05:08 |
|
Reminder: > MySQL is named after co-founder Monty Widenius's daughter, My.
|
# ? Apr 19, 2024 11:07 |
|
mysql got oracle'd so the new goodness is mariadb which is named by after other daughter lol
|
# ? Apr 19, 2024 12:04 |
|
I always thought naming your dogs Inno and ISAM was weird but I guess it worked out
|
# ? Apr 19, 2024 12:21 |
|
my daughter is named postgre
|
# ? Apr 19, 2024 12:31 |
|
Wiggly Wayne DDS posted:p0 put out a good series on the windows registry and lpes: looking forward to my office reading today, Ben wondering where they’ve been
|
# ? Apr 19, 2024 13:06 |
|
Captain Foo posted:looking forward to my office reading today, Ben wondering where they’ve been i didn't include this in the open issues A-Z list as i was awaiting more info but it just dropped... 2024-03-22: Chunghwa Telecom: Wrong Extended Key Usage setting by GTLSCA 2024-04-19: Chunghwa Telecom: Instructions for Delayed Revocation Due to GTLSCA EKU Misissuance - initially informed of 3 invalid certs 2024-03-19, investigated and noticed it affected 6450 - action item for original report notes 'revoke all problematic certs' by 2024-04-05 - on 2024-03-22 this changes to 2024-04-17 - they finally attach a list of all 6450 certs on 2024-04-10 after prompting - their latest response is.. uh.. Leo Fang (trimmed) posted:
- their new incident report just posted changes the 'Revoke all problematic certs' due date to 2024-05-15 and says it's "Not yet started" - but they have reissued all certs in batches, delayed due to the Ching Ming Festival holiday taking them 10 days - they do not appear to have revoked a single certificate so far
|
# ? Apr 19, 2024 13:10 |
|
im gonna start a CA and just reply "soz cant do it chief" to all my tickets
|
# ? Apr 19, 2024 14:11 |
|
Carthag Tuek posted:my daughter is named postgre so does this mean there's a Mr. SQL too
|
# ? Apr 19, 2024 14:31 |
|
wait no that joke only works if it were mrssql not mssql, i'm not entirely awake yet
|
# ? Apr 19, 2024 14:32 |
|
the reg stuff was a good intro but i want mooooooreeee
|
# ? Apr 19, 2024 14:44 |
|
Carthag Tuek posted:im gonna start a CA and just reply "soz cant do it chief" to all my tickets Entrust: EV TLS Certificate cPSuri missing Paul van Brouwershaven posted:As described previously, we examined the issue and made a determination that it would be in the best interests of the Web PKI to not revert to a practice that the CA/Browser Forum had adopted as “not recommended.” Paul van Brouwershaven posted:We have explained that we are dealing with different subscribers than other CAs that might issue much larger volumes than we do. We hope that members of the community who have experience in the field where Entrust operates understand our challenges and that we are doing everything we can to make our subscribers better prepared and more agile for security incidents. We have had teams working with our subscribers and walk them through the revocation and reissuance process. This process has included multiple touchpoints with subscribers by phone, email, and text message. The impact to subscribers is an important consideration in certain instances like these where security issues are not at play, because when subscribers fail to act this will directly impact relying parties. Bruce Morton posted:Ryan and all – As previously noted, we believe that the incident described in this bug is an exceptional circumstance that merits a reasonable decision not to revoke, as we have outlined. We have taken responsibility for our mistakes and are addressing issues with attention to requirements and the overall health of the Web PKI ecosystem. Bruce Morton posted:Paul, we acknowledge your comments. One thing we will note is that we have been educating our customers on the need for agility and will continue to advance these efforts.
|
# ? Apr 19, 2024 14:48 |
|
lmao i love it when companies tell me they acknowledge my comments, it definitely fulfills my psychological need to be heard and understood just as well as if they had actually heard and understood me and demonstrated it behaviorally
|
# ? Apr 19, 2024 15:12 |
|
what a bunch of words to tell me jack poo poo there’s no SMART goals, just vibes
|
# ? Apr 19, 2024 15:30 |
|
Wiggly Wayne DDS posted:i'm uh, bolding the part that stood out to me. they're outright saying they don't have the technical capability to revoke and reissue. this is another ca making up exceptional circumstances rules where this doesn't appear in any policy the honesty is kinda refreshing after a few weeks of watching Entrust's flailing
|
# ? Apr 19, 2024 15:39 |
|
quote:If a similar incident were to occur, our decisions would reflect our dedication to the BRs and secure internet practices, informed by constructive dialogue within the industry.
|
# ? Apr 19, 2024 15:42 |
|
Raymond T. Racing posted:but Paul, you’ve just shown that your decisions do not follow the BRs with this incident, how are we supposed to take that seriously We understand how serious this issue is. Please be assured that we are undertaking a great deal of effort. We will work hard to better deal with incidents like these, and continue to work with our customers on this.
|
# ? Apr 19, 2024 15:48 |
|
Pendragon posted:We understand how serious this issue is. Please be assured that we are undertaking a great deal of effort. We will work hard to better deal with incidents like these, and continue to work with our customers on this. I know that this is just a satire bit but I instinctively went “come the gently caress on” when reading
|
# ? Apr 19, 2024 15:53 |
|
Raymond T. Racing posted:I know that this is just a satire bit but I instinctively went “come the gently caress on” when reading whenever I needed inspiration for a sentence, I scrolled up to Wayne's post, read a line or two, and immediately knew what to put down. it's just such brilliant and transparent bullshitery.
|
# ? Apr 19, 2024 15:57 |
|
Shame Boy posted:lmao i love it when companies tell me they acknowledge my comments, it definitely fulfills my psychological need to be heard and understood just as well as if they had actually heard and understood me and demonstrated it behaviorally "we see you, we hear you" but for certs
|
# ? Apr 19, 2024 16:09 |
|
Raymond T. Racing posted:but Paul, you’ve just shown that your decisions do not follow the BRs with this incident, how are we supposed to take that seriously if you read it one way, they're saying they only have to follow the BR's when and in ways that would be "informed by constructive dialog within the community", and if they've demonstrated one thing they sure can have lots of constructive dialog within the community!!
|
# ? Apr 19, 2024 16:34 |
|
it's important to note there are many overlapping requirements for a CA when it comes to revocation due to mis-issuance, none of them give any leeway other "do it within 24h; or 5d" where there's different circumstances for both. Mozilla's policy: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's incident response guide: https://wiki.mozilla.org/CA/Responding_To_An_Incident CAB's TLS BR (2.0.4, latest): https://cabforum.org/working-groups/server/baseline-requirements/documents/TLSBRv2.0.4.pdf CAB posted:4.9 Certificate revocation and suspension
|
# ? Apr 19, 2024 17:02 |
|
e: i was gonna change it to be about entrust but i cant be arsed
|
# ? Apr 19, 2024 17:09 |
|
Wiggly Wayne DDS posted:it's important to note there are many overlapping requirements for a CA when it comes to revocation due to mis-issuance, none of them give any leeway other "do it within 24h; or 5d" where there's different circumstances for both. so basically: they’ve flagrantly violated the Mozilla and Google requirements, right? if I’m a person in charge of a root program, and I’m seeing this, I’m absolutely having that internal discussion of how much letting it slide is too much. let this poo poo go and it shows that CA/B has no teeth
|
# ? Apr 19, 2024 17:26 |
|
To play stick in the mud by coming in with incident theory talk, if you have a policy and find it is never respected, then you have to wonder if the policy actually is realistic and practical to implement. I'm not saying Entrust is in the right here, but that if what you find in aggregate is that pretty much no one meets the policy properly, then the problem isn't necessarily that everyone fails while the policy is correct; it might be that the expectations and consequences of the revocations do clash with what the policy wishes the world were like when it isn't. I don't actually know any of these numbers because I've only read this thread and not any of the other stuff. If we find that pretty much only a few CAs constantly fail with these things while others succeed (which is different from "not failing by never exercising the policy"), then yeah the policy might be fine and corrective action on the CA required. If it's 50-50 you also gotta wonder if there's any population-level distinction that could be in play: what is the difference between the context of those who succeed and those who don't, aside from their lack of adherence to rules? But for all the normative "you gotta follow the rules" approaches, there's always a real risk that said rules are based on an inaccurate or impractical view of the world and that can't be successfully met predictably.
|
# ? Apr 19, 2024 19:40 |
|
|
# ? May 3, 2024 07:04 |
|
MononcQc posted:To play stick in the mud by coming in with incident theory talk, if you have a policy and find it is never respected, then you have to wonder if the policy actually is realistic and practical to implement. I'm not saying Entrust is in the right here, but that if what you find in aggregate is that pretty much no one meets the policy properly, then the problem isn't necessarily that everyone fails while the policy is correct; it might be that the expectations and consequences of the revocations do clash with what the policy wishes the world were like when it isn't. that's absolutely true, but I think it's unheard of for a CA to know that they're mis-issuing certs, then continue to issue them until being called out by everyone in the community something very clearly seems wrong at the helm of entrust where they're not even making lip service to the policies
|
# ? Apr 19, 2024 20:36 |