Disclosing unconstrained emailProtection intermediates to CCADB
CAs, Version 2.5 of the Mozilla Root Store Policy classifies EKU=emailProtection intermediates as unconstrained when suitable name constraints aren't present. As a result, such intermediates need to be disclosed to the CCADB (although not until 15th January 2018 for those intermediates issued before 22nd June 2017). I've updated https://crt.sh/mozilla-disclosures to implement the new disclosure rules. P.S. Note that the CCADB's definition of technically constrained hasn't yet been similarly updated, so you may still see this warning: "This certificate is considered to be technically-constrained as per Mozilla policy, so it does not need to be added to the CA Community in Salesforce. All data that you enter into Salesforce will be publicly available, so please make sure you do not enter sensitive information that should not be published." -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: WoSign new system passed Cure 53 system security audit
On Fri, Jul 07, 2017 at 06:12:58AM +, Danny 吴熠 via dev-security-policy wrote: > As per requirements, WoSign new issuing infrastructure has been completed > and passed the Cure 53 white box security audit successfully in June 27. > Cure53 is approved by Mozilla. The full audit report has been sent to > Mozilla and other browsers. The Summary Report for public is available > here: > > https://www.wosign.com/Docdownload/WoSign%20system%20code%20security%20audit%20report%20summary%2020170627.pdf. This report doesn't contain anything of value. It says "we found things, they were fixed". OK, but what *were* those things? How do they reflect the maturity of the WoSign SDLC processes? Do they indicate anything meaningful about the larger issues that caused WoSign to be distrusted? Without the full report being made public, I don't think any useful conclusions can be drawn from this audit. - Matt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Final removal of trust in WoSign and StartCom Certificates
Hello M.D.S.P., We've posted the following update regarding Chrome's treatment of WoSign and StartCom certificates to Chromium's Security-dev and net-dev groups. I've included both links below in case you'd like to follow the discussion there. https://groups.google.com/a/chromium.org/forum/#!topic/net-dev/FKXe-76GO8Y https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/-I9QQJ_3jpE Cheers, Devon O'Brien ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy