Hi Wayne Buypass has used the TLS-SNI-01 method in our ACME Pilot running since last summer. We have issued some certificates using this method - less than 60 certificates are still active and not revoked, most of them are issued to internal users and systems.
We stopped using this method immediately when notified by Let's Encrypt on January 10th and we have not used the method since. Regards Mads -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+mads.henriksveen=buypass...@lists.mozilla.org] On Behalf Of Wayne Thayer via dev-security-policy Sent: tirsdag 23. januar 2018 23:12 To: Ryan Sleevi <r...@sleevi.com> Cc: Doug Beattie <doug.beat...@globalsign.com>; mozilla-dev-security-pol...@lists.mozilla.org; Matthew Hardeman <mharde...@gmail.com>; Alex Gaynor <agay...@mozilla.com> Subject: Re: TLS-SNI-01 and compliance with BRs On Sat, Jan 20, 2018 at 1:07 AM, Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > <snip> > > Based on this, do we need a ballot to remove them from the BRs, or > > put in a statement in them to the effect that they can be used only > > if approved > by > > Google on this list? I’m not picking on Ryan, but he’s the only > > root program representative that has expressed strong views on what > > is > permitted > > and what is not (else you have your CA revoked or root pulled from > > the program). > > > > As Wayne has pointed out, CAs participating within the Mozilla program > are expected to be following this list. > > That said, in my past messages regarding .9 and .10, I thought it was > rather clear we’d like to see these methods removed if the community > is unable to make progress in securing them, such that the limited > exceptions can be removed and all can use them. > > Mozilla's position is as follows: Given that the specific vulnerabilities present in BR 3.2.2.4 methods .9 and .10 were reported nearly two weeks ago, Mozilla's minimum expectation is that all CAs using either method have disclosed that fact and have described their response on this list. Any CA that has not is now requested to do so immediately. Currently, Mozilla views new or continued use of these methods for domain validation to be misissuance unless the CA has first implemented and disclosed an appropriate mitigation for the known vulnerabilities. While Mozilla is open to strengthening these methods, CAs are strongly discouraged from using them and are encouraged to migrate away from them until such improvements are vetted and standardized by the CA/Browser Forum. Note: Please recognize that Mozilla's position applies to our own CA Program and in no way changes or overrides earlier statements made by Ryan representing Chrome on this list. I have added issue #116 to the PKI Policy repository [1] to consider removing methods 1, 5, 9, and 10 from a future version of the root store policy. - Wayne [1] https://github.com/mozilla/pkipolicy/issues _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
