All, On Monday, I'm going to recommend to Kathleen that we proceed with these root inclusion requests of GlobalSign. Please let us know if there are any concerns. Thanks, Ben
On Fri, Feb 12, 2021 at 7:31 AM Arvid Vermote via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi Nick > > We attached an updated version of the affected certificate overview to the > bug on February 10, which does contain the date of order and date of > issuance. > > Thanks > > Arvid > > > -----Original Message----- > > From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org > > > On > > Behalf Of Nick Lamb via dev-security-policy > > Sent: donderdag 11 februari 2021 19:12 > > To: dev-security-policy@lists.mozilla.org > > Cc: Ben Wilson <bwil...@mozilla.com> > > Subject: Re: Public Discussion of GlobalSign's CA Inclusion Request for > R46, > > E46, R45 and E45 Roots > > > > On Tue, 9 Feb 2021 14:29:15 -0700 > > Ben Wilson via dev-security-policy > > <dev-security-policy@lists.mozilla.org> wrote: > > > > > All, > > > GlobalSign has provided a very detailed incident report in Bugzilla - > > > see https://bugzilla.mozilla.org/show_bug.cgi?id=1690807#c2. > > > There are a few remaining questions that still need to be answered, so > > > this email is just to keep you aware. > > > Hopefully later this week I'll be able to come back and see if people > > > are satisfied and whether we can proceed with the root inclusion > > > request. > > > > I have a question (if I should write it in Bugzilla instead please say so > it is unclear > > to me what the correct protocol is) > > > > GlobalSign have provided a list of 112 other certificates which were > issued for the > > same reason, I examined some of them manually and determined that they > are > in > > appearance unextraordinary (2048-bit RSA keys for example) and so it's > > unsurprising we didn't notice they were issued previously. > > > > However, the list does not tell me when these certificates were ordered > or, if > > substantially different, when the email used to "validate" these orders > was sent. > > > > As a result it's hard to be sure whether these certificates were issued > perhaps > > only a few weeks after they were ordered, which is a relatively minor > oversight, > > or, like the incident certificate, many years afterwards. I'd like maybe > a > column of > > "order date" and "email sent date" if the two can be different. > > > > - > > > > I also have noticed something that definitely isn't (just) for > GlobalSign. > It seems to > > me that the current Ten Blessed Methods do not tell issuers to prevent > robots > > from "clicking" email links. We don't need a CAPTCHA, just a "Yes I want > this > > certificate" POST form ought to be enough to defuse typical "anti-virus", > "anti- > > malware" or automated crawling/ cache building robots. Maybe I just > missed > > where the BRs tell you to prevent that, and hopefully even without > prompting all > > issuers using the email-based Blessed Methods have prevented this, > > > > > > Nick. > > _______________________________________________ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
