Twitter | Search | |
Andrew Ayer
Bootstrapped founder of , where I make SSL certificates easier and do and stuff.
922
Tweets
174
Following
1,489
Followers
Tweets
Andrew Ayer Jan 29
That was issued by Digicert, from a white label intermediate CA.
Reply Retweet Like
Andrew Ayer Jan 26
Replying to @hanno
Chrome announced their 2020 plans for Certificate Transparency:
Reply Retweet Like
Andrew Ayer Jan 10
Replying to @MadebyBurton
I do not use AV.
Reply Retweet Like
Andrew Ayer Jan 10
Replying to @BRIAN_____
Same. And I'm glad we got to meet in person, even if it was nigh impossible to have a conversation in that bar!
Reply Retweet Like
Andrew Ayer retweeted
Real World Crypto Jan 7
We are pleased to announce that 2020 will be live-streamed. Link:
Reply Retweet Like
Andrew Ayer Jan 7
Replying to @tommy_hs
Yes, I'm correct. See Section 2.6 of RFC6960.
Reply Retweet Like
Andrew Ayer Jan 7
Replying to @__agwa
Hopefully the SHA-1 OCSP responses are all signed from a sub-CA technically constrained to OCSP (as required by Mozilla policy) so it can't be used to forge an actual certificate.
Reply Retweet Like
Andrew Ayer Jan 7
Replying to @__agwa
I haven't scanned OCSP responders in a while, but I'm sure there are still CAs signing OCSP responses with SHA-1, because it was never forbidden, and CAs will keep doing something dangerous as long as it's not forbidden.
Reply Retweet Like
Andrew Ayer Jan 7
You calculate a SHA-1 chosen prefix and you choose to attack the PGP Web-of-Trust!? Come on, forge an OCSP response from a publicly-trusted CA instead!
Reply Retweet Like
Andrew Ayer Jan 5
Replying to @alethenorio
Thanks! The FSF considers any kind of linking to a (A)GPL-licensed software component to be a modification, requiring the entire combined work to be (A)GPL-licensed also. This blog post goes into greater detail:
Reply Retweet Like
Andrew Ayer Jan 5
New blog post: This Is Why You Always Review Your Dependencies, AGPL Edition
Reply Retweet Like
Andrew Ayer Dec 27
Replying to @cryptodavidw
The other success story of CT is integrating it with certificate linters to make CAs issue certificates that are actually standards-compliant. Previously, certificate parsers had to be lax to parse all certificates. Now they can be strict, which is a huge win for security.
Reply Retweet Like
Andrew Ayer Dec 27
Replying to @hanno @cryptodavidw
Certinomis is another example of a CA that was removed from Mozilla in large part due to misissuances found in CT
Reply Retweet Like
Andrew Ayer Dec 20
Replying to @agl__
Gah, Twitter ate the URL:
Reply Retweet Like
Andrew Ayer Dec 20
Replying to @agl__
Pretty sure the article is wrong. Although Linus was talking about making getrandom nonblocking, he ultimately went with this commit instead:
Reply Retweet Like
Andrew Ayer retweeted
Frank Denis Dec 11
miekg/dns before version 1.1.25 released today uses predictable DNS transaction IDs, can lead to response forgeries
Reply Retweet Like
Andrew Ayer Dec 7
It will be sort of like that, except the importing will be continuous (since CAA records can change over time) and the user will be informed over email when there's a change.
Reply Retweet Like
Andrew Ayer Dec 7
There's no CT-like system for DNS. Since Cert Spotter is a CT monitor, it shouldn't rely on a system that has weaker security guarantees than CT.
Reply Retweet Like
Andrew Ayer Dec 7
Quite a few people have asked for CAA to be consulted. Have to be careful, because DNS is not transparent and (usually) not authenticated. Current plan is to make it an option, and send an email any time Cert Spotter relies on a CAA record for the first time.
Reply Retweet Like
Andrew Ayer Dec 7
Replying to @FiloSottile @SSLMate
Per-endpoint authorization is definitely planned. Had to cut it from the initial release to get it out the door :-)
Reply Retweet Like