Re: More SHA-1 certs
Le dimanche 31 janvier 2016 18:47:53 UTC+1, Peter Bowen a écrit : > Sub-CA under SHECA (which has applied to be in the Mozilla program) > https://crt.sh/?id=12367776=cablint Wow. Each certificate has its own CRL. And this CRL is not properly partitioned (missing IDP extension). ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: CA Community in Salesforce
I have updated a couple wiki pages in regards to the CA Community in Salesforce... + Added an 'After Inclusion' section to the page about how to apply for inclusion: https://wiki.mozilla.org/CA:How_to_apply#After_Inclusion + Added steps 15 and 16 to the Process Overview: https://wiki.mozilla.org/CA#Process_Overview I will appreciate thoughtful and constructive feedback on these changes. Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: CA Community in Salesforce
I believe I have issued a CA Community Salesforce license to the Primary Point of Contact (POC) of each currently-included CA. https://wiki.mozilla.org/CA:SalesforceCommunity Please send me email if any of you are a Primary POC for a currently-included CA, and you have not received your CA Community Salesforce license. Also, please be sure to login to the CA Community in Salesforce and let me know if you have an problems or questions about it. Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: SHA1 certs issued this year chaining to included roots
Hello- Regarding: > - https://crt.sh/?id=12501254=cablint -- RSA Security 2048 V3 via > RSA Corporate CA v2 via RSA Corporate Server CA v2 All certificates issued with SHA-1 post 1 January 2016 have been revoked and replaced with SHA-2 compliant Certificates as of 4 Feb 2016. The configuration of the CA was amended to only issue SHA-2 certificates going forward. The issuing CA was a deprecated CA that was effectively retired in Q1 of 2015. As a result, it was not included in our SHA-2 conversion efforts. Due to a fielded application that had embedded explicit trust only to this CA, when the certificates came up for renewal, they were issued in error. As soon as the error was brought to our attention, the certificates were revoked and replaced with SHA-2 certificates. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: ComSign Root Renewal Request
Dear Mozilla community, Reviewing the BR audit report of Comsign Ltd I have a few doubts regarding the audits accepted by Mozilla and may someone can help me. The BR audit was conducted according to the WebTrust forCertification Authorites - SSL Baseline Requirements Audit Criteria version 1.1 and it's a point-of-time (as of April 26, 2015). Although this audit criteria is accepted according to the Mozilla CA Certificate Inclusion Policy 2.2, the BR audit version 1.1 was superseded by Webtrust SSL Baseline with Network Security version 2.0 (effective for audit periods starting on or after July 1, 2014). Webtrust audit criteria states that "The point-in-time readiness assessment shall be completed no earlier than twelve (12) months prior to issuing Publicly-Trusted Certificates and shall be followed by a complete audit under such scheme within ninety (90) days of issuing the first Publicly-Trusted Certificate. (See SSL Baseline Requirements Section 17.4)". Should Mozilla expect a complete audit 90 days after the point-in-time BR audit report or after the first certificate (I don't know when was issued)? In addition and regarding the OCSP Responder certificate with Serial Number: 0e:2b:cd:a4:aa:4f:8f:80:da:16:94:4e:ba:33:35:33, the validity is 3 years. According the RFC 6960 "A CA may specify that an OCSP client can trust a responder for the lifetime of the responder's certificate. The CA does so by including the extension id-pkix-ocsp-nocheck. This SHOULD be a non-critical extension. The value of the extension SHALL be NULL. CAs issuing such a certificate should realize that a compromise of the responder's key is as serious as the compromise of a CA key used to sign CRLs, at least for the validity period of this certificate. CAs may choose to issue this type of certificate with a very short lifetime and renew it frequently." Which is the maximum acceptable lifetime for this type of certificates that contains the id-pkix-ocsp-nocheck extension? PS: Now I cannot test the OCSP due a server error "Code=503,Reason=Service Unavailable" Best ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Firefox is printing SHA1 warning several times - but which servers use SHA-1?
When including ads on a website Firefox is printing a SHA-1 warning several times: (30) "This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1." Is there a way to print which servers are using SHA-1 Certificates without recheck each of them manually? Is there a verbose mode for that message which prints the server name? thanks, denny ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Firefox is printing SHA1 warning several times - but which servers use SHA-1?
Hey Denny: Good idea. Unfortunately, there's not a way to turn it on right now; we would need to add code. Mark: Could we, say, add the host name to the string? ("The server at $DOMAIN makes use of...") The method producing the warning is on nsHTTPChannel, so it seems like the host name should be there. https://dxr.mozilla.org/mozilla-central/source/netwerk/protocol/http/nsHttpChannel.cpp#1384 -- Forwarded message -- From: Denny BarteltDate: Thu, Feb 4, 2016 at 4:13 AM Subject: Firefox is printing SHA1 warning several times - but which servers use SHA-1? To: mozilla-dev-security-pol...@lists.mozilla.org When including ads on a website Firefox is printing a SHA-1 warning several times: (30) "This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1." Is there a way to print which servers are using SHA-1 Certificates without recheck each of them manually? Is there a verbose mode for that message which prints the server name? thanks, denny ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Firefox is printing SHA1 warning several times - but which servers use SHA-1?
Where are you viewing these? If you use the web console in the developer tools, the server is displayed alongside the warning. On Thu, Feb 4, 2016 at 9:13 AM, Denny Bartelt < d.bart...@netzathleten-media.de> wrote: > When including ads on a website Firefox is printing a SHA-1 warning > several times: > > (30) "This site makes use of a SHA-1 Certificate; it's recommended you use > certificates with signature algorithms that use hash functions stronger > than SHA-1." > > Is there a way to print which servers are using SHA-1 Certificates without > recheck each of them manually? Is there a verbose mode for that message > which prints the server name? > > thanks, denny > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy