From owner-freebsd-security@freebsd.org  Wed Sep 28 06:40:43 2016
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B89A7BEC82F
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Wed, 28 Sep 2016 06:40:43 +0000 (UTC) (envelope-from nzp@riseup.net)
Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "*.riseup.net",
 Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id A26F2E80;
 Wed, 28 Sep 2016 06:40:43 +0000 (UTC) (envelope-from nzp@riseup.net)
Received: from cotinga.riseup.net (unknown [10.0.1.164])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.riseup.net",
 Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK))
 by mx1.riseup.net (Postfix) with ESMTPS id F2B481A051D;
 Wed, 28 Sep 2016 06:40:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak;
 t=1475044836; bh=VNSnIbIlorL2+sV+59psgDxYjp35rQTVkHEXVT9jrM4=;
 h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
 b=EeFgxi0HcOCOqnUMqk3CsbwhLZW0ufrOKwXcX4Rrm69ppyHAFXbPy1q6BwLc9NNoA
 V4GbiKir9IzDl7kXHIJNAcYRG6TfGZ4gZwQSDRmL/Ik3JklXHw9F3alkx/tvmq5crN
 My321tj/JFbyvBcQSAmPcw8Axpfvf69NewuYG+JQ=
Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: nzp)
 with ESMTPSA id 3BE07400A8
Date: Wed, 28 Sep 2016 08:40:27 +0200
From: Nikola =?UTF-8?B?UGF2bG92acSH?= <nzp@riseup.net>
To: Matthew Seaman <matthew@FreeBSD.org>
Cc: freebsd-security@freebsd.org
Subject: Re: Two Dumb Questions
Message-ID: <20160928084027.20ca33f2@riseup.net>
In-Reply-To: <74ed7019-cb87-c55a-fb6d-1c016bf04d59@FreeBSD.org>
References: <32084.1474872154@segfault.tristatelogic.com>
 <74ed7019-cb87-c55a-fb6d-1c016bf04d59@FreeBSD.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Sep 2016 06:40:43 -0000

On Mon, 26 Sep 2016 10:31:02 +0200
Matthew Seaman <matthew@FreeBSD.org> wrote:
[...]
> > 
> >      https://censys.io/
> > 

[...]

> 
> Hmmm... their TLS certificate is issued by 'StartCom Class 1 DV Server
> CA'  This is a CA that prominently advertizes free SSL certificates,
> but otherwise looks like it charges just like any other CA.
> See: http://www.startssl.com/  No idea if this CA is any good but
> there's nothing to suggest any wrong doing just from their site.

Just an FYI regarding StartCom:  Mozilla is suspending their CA for
one year (and quite likely forever, it's unlikely they'll be able to
meet the requirements for reactivation).  Lots more info here in
Mozilla's investigation report:
https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/preview


-- 
PGP: 28CC 9078 8358 CE2D 6824  A5BC 2DB2 CD24 5BE7 8F06