Security Blog about 1024-bit certs
All, I posted a security blog about 1024-bit certs... https://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-with-1024-bit-rsa-keys/ Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: 1024 bit root removal in the news
On 08/09/14 09:48, Kurt Roeckx wrote: > I think those are misleading: - They count certificates that already > expired That is the worst error. And, they also say we've removed all the 1024-bit roots, when we haven't yet - there are still at least 3 we haven't managed to remove yet. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: 1024 bit root removal in the news
- Original Message - > From: "Kurt Roeckx" > To: mozilla-dev-security-pol...@lists.mozilla.org > Sent: Monday, 8 September, 2014 10:48:35 AM > Subject: 1024 bit root removal in the news > > In case nobody saw it yet, those things were in the news: > https://community.rapid7.com/community/infosec/sonar/blog/2014/09/04/107000-web-sites-no-longer-trusted-by-mozilla > http://threatpost.com/mozilla-1024-bit-cert-deprecation-leaves-107000-sites-untrusted/108114 > > > I think those are misleading: > - They count certificates that already expired > - They probably count certificates seen on multiple IPs multiple Well, my scan also includes them: you can have sites with multiple SANs serving different content depending on IP or hostname... So depreciation of single certificate may actually cause problems for multiple /different/ sites. > - They don't take into account that the site might send an alternative > root that is not 1024 bit. or even be able to link to a different root provided the browser has a different intermediate certificate cached... But I'd say there's even bigger problem: they used historic data. Many sites were contacted by CAs to change their certificates to use different roots, they will still be counted towards the 107000 total even when their current configuration uses good roots (and was detected as such in their most recent scan)! So yes, the numbers were artificially inflated "a bit". > > Hubert Kario stats posted here are way more useful. Thank you :) -- Regards, Hubert Kario ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: GlobalSign Request to Include ECC Roots
Hi Kathleen, As discussed below, the changes were submitted and approved and we now have new versions of the CP and CPS, however rather than send around this list I prefer them to be published following our standard internal operating procedures (which will take a few more days). However in saying this I've updated to the bug the salient text changes for 3.2.2 and a new section 3.2.7. We now indicate what we do for ALL SSL certificates including EV. I hope the discussion can continue in the meantime for approval of our ECC roots. Thanks to all for their feedback which helped improve our public documents. Steve > -Original Message- > From: Steve Roylance [mailto:steve.royla...@globalsign.com] > Sent: 22 August 2014 06:45 > To: Kathleen Wilson > Cc: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: GlobalSign Request to Include ECC Roots > > Hi Kathleen. > > I'm on vacation next week. > > The changes that make clarifications to our processes, particularly around > domain verification and EV, have been submitted for approval. I hope to have > a > new version ready by the week of Sept 1st. > > Steve > > Sent from my iPhone > > > On 21 Aug 2014, at 23:25, Kathleen Wilson wrote: > > > >> On 7/29/14, 3:26 PM, Kathleen Wilson wrote: > >> GlobalSign has applied to include the “GlobalSign ECC Root CA - R4” and > >> “GlobalSign ECC Root CA - R5” root certificates, and turn on all three > >> trust bits and enable EV treatment for both roots. > > > > > > Thanks to those of you who have already contributed to this discussion. > > > > While we wait for GlobalSign to update their CPS... > > > > Does anyone else have comments/questions/concerns about this request? > > > > Kathleen > > > > ___ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
1024 bit root removal in the news
In case nobody saw it yet, those things were in the news: https://community.rapid7.com/community/infosec/sonar/blog/2014/09/04/107000-web-sites-no-longer-trusted-by-mozilla http://threatpost.com/mozilla-1024-bit-cert-deprecation-leaves-107000-sites-untrusted/108114 I think those are misleading: - They count certificates that already expired - They probably count certificates seen on multiple IPs multiple times - They don't take into account that the site might send an alternative root that is not 1024 bit. Hubert Kario stats posted here are way more useful. Kurt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy