Hi Inigo,
On 15/09/17 17:30, Inigo Barreira wrote:
> There wasn´t a lack of integrity and monitoring, of course not. All PKI logs
> were and are signed, it´s just the auditors wanted to add the integrity to
> other systems which is not so clear that should have this enabled. For
> example, if you want to archive database information for not managing a big
> one, the integrity of the logs could be a problem when trying to "move" to an
> archive system. I had some discussions about the "scope" of the integrity.
> Regarding the monitoring, well, we monitor many things, in both data centers,
> 24x7, etc. For this specific issue, it´s true that we didn´t have it
> automatically but manually, but well, and we implement a solution, but this
> is not a lack of monitoring. I think the audits are to correct and improve
> the systems and don´t think any CA at the first time had everything correct.
> So, for example, I thought this finding was good because made us improve.
>
>> Repairing them afterwards does not remove the uncertainty.
>
> Well, then any issue that you could find, even repaired or fixed, does not
> provide you any security and hence you should not trust anyone.
Not so. There is particular concern about issues with auditing and
monitoring. For other issues, you can check the logs to see whether a
particular bug was abused. If the auditing or monitoring is broken or
inadequate, you can't tell what happened.
>> I may have made a mistake here. I was under the impression that you had
>> told me that your new hierarchy, cross-signed by Certnomis, had issued
>> 50,000 certificates. Did I misunderstand? If so, my apologies.
>
> No, or not totally. We have issued those certs but not cross-signed by
> Certinomis because we didn´t have the cross-signed certificates so, all of
> them were issued under the new startcom hierarchy
But once the cross-signed cert is publicly available (and it is; it's in
CT, however it got there), all of those certificates become trusted (or
potentially trusted, if the owner reconfigures their webserver to serve
the intermediate, or if Firefox has already encountered it in the
current browsing session).
> This is something I don´t understand. Why do you say the audits I presented
> don´t meet the BRs? Because of the findings? The auditors indicate those were
> fixed
I don't believe there's a formal way for an auditor to bindingly say "by
the way, the problems we found have since been fixed" in an audit
report. But to help me understand: exactly what statement on what page
of your audit report(s) are you referring to here?
> About the remediation steps, well, I answered the bug about it providing all
> the info and yes, you haven´t answered yet nor to approve nor to deny.
Right. So why are you proceeding?
You might reasonably complain it's taken us a while to respond to that
comment about the steps. Yes, it has. The Mozilla inclusion process is
slow. :-(
>>> In fact, recently, I asked for permission to use the Certinomis cross-signed
>> certificates and have no response. I don´t know if this is an administrative
>> silence which may allow me to use it but until having a clear direction we
>> haven´t used it.
>>
>> Can you remind me how you asked and when?
>
> It was in an email of sept 4th, titled "StartCom communication" in which at
> the end of the long email I asked for feedback to use the cross-signed
> certificates and give additional explanations
I have no record of any email with that title, or any email from you
between 15th August ("Re: Problem Reporting Mechanism") and 11th
September ("Re: Remove old Startcom roots from NSS"). Where did you send it?
Gerv
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
