Re: WoSign new system passed Cure 53 system security audit
Hi all, Your reported BR issues is from StartCom, not WoSign, we don't use the new system to issue any certificate now since the new root is not generated. PLEASE DO NOT mix it, thanks. Best Regards, Richard > On 11 Jul 2017, at 23:34, Ryan Sleevi via dev-security-policy > wrote: > > On Tue, Jul 11, 2017 at 11:16 AM, Jonathan Rudenberg via > dev-security-policy wrote: > >> >>> On Jul 11, 2017, at 06:53, okaphone.elektronika--- via >> dev-security-policy wrote: >>> On Monday, 10 July 2017 08:55:38 UTC+2, Richard Wang wrote: Please note this email topic is just for releasing the news that WoSign >> new system passed the security audit, just for demonstration that we >> finished item 5: " 5. Provide auditor[3] attestation that a full security audit of the >> CA’s issuing infrastructure has been successfully completed. " " [3] The auditor must be an external company, and approved by Mozilla. >> " >>> >>> It also seems a bit strange to report item 5 "successfully completed" >> before we hear anything about the other items. How about starting with item >> 1? What are your plans voor fixing the problems? >> >> It’s worth noting that the problems have not stopped yet. There are a >> bunch of certificates issued over the past few months that do not comply >> with the Baseline Requirements issued from the new "StartCom BR SSL ICA”, >> for example: >> >> https://crt.sh/?opt=cablint&q=8BDFE4A526BFB35C8A417B10F4D0AB >> E9E1D60D28A412539D5BC71C19B46FEF21 >> https://crt.sh/?opt=cablint&q=124AAD38DAAC6B694D65F45226AB51 >> 52FC46D229CBC203E0814D175F39977FF3 >> https://crt.sh/?opt=cablint&q=9B78C78B32F4AC717B3DEFDABDACC4 >> FEFA61BFD17782B83F75ADD82241147721 >> https://crt.sh/?opt=cablint&q=AAB0B5A08F106639A5C9D720CD37FD >> B30E7F337AEBAF9407FD854B5726303F7B >> https://crt.sh/?opt=cablint&q=9DCE6A924CE837328D379CE9B7CDF4 >> A2BA8A0E8EC01018B9DE736EBC64442361 >> https://crt.sh/?opt=cablint&q=62A9A9FDCDC04A043CF2CB1A5EAFE3 >> 3CF9ED8796245DE4BD5250267ADEFF005A >> https://crt.sh/?opt=cablint&q=6A72FA5DCC253D2EE07921898B9A9B >> B263FD1D20FE61B1F52F939C0C1C0DCFEE >> https://crt.sh/?opt=cablint&q=238E2E96665748D2A05BAAEEC8BAE6 >> AFE7B7EF4B1ADA4908354C855C385ECD81 >> https://crt.sh/?opt=cablint&q=C11C00EB0E14EEB30567D749FFD304 >> 45E0B490D1DCA7B7E082FD1CB0A40A71C0 >> https://crt.sh/?opt=cablint&q=4DEF4CFD21A969E8349E4428FDEC73 >> 767C01DE6127843312511B71029F4E3836 > > > It's worth noting that, on the basis of the security audit report full > details shared by WoSign, the system that was security audited does not > comply with the Baseline Requirements, nor, as designed, can it. The system > would need to undergo non-trivial effort to comply with the Baseline > Requirements. > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: How long to resolve unaudited unconstrained intermediates?
Hey Ben, Take a look at the thread "Disclosing unconstrained emailProtection intermediates to CCADB" by Rob, it explains the change and has the relevant dates by which CAs must comply. Alex On Tue, Jul 11, 2017 at 3:21 PM, Ben Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > By the way, I just noticed on https://crt.sh/mozilla- > disclosures#undisclosed > that CA certificates with an EKU of eMailProtection (1.3.6.1.5.5.7.3.4) are > now listed when they weren't required to be listed previously. Presumably > CAs will be given ample time to update these entries. > > -Original Message- > From: dev-security-policy > [mailto:dev-security-policy-bounces+ben=digicert@lists.mozilla.org] On > Behalf Of Nick Lamb via dev-security-policy > Sent: Tuesday, July 11, 2017 7:57 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: How long to resolve unaudited unconstrained intermediates? > > On Tuesday, 11 July 2017 10:56:43 UTC+1, Kurt Roeckx wrote:> > > So at least some of them have been notified more than 3 months ago, > > and a bug was filed a month later. I think you already gave them too > > much time to at least respond to it, and suggest that you sent a new > > email indicating that if they don't respond immediately that they will > > get added to OneCRL. > > Agreed. It may also make sense to add telemetry that allows Mozilla to > determine whether listing such subCAs in the OneCRL are ever actually > blocking anything. This makes a difference in my opinion as to the > severity > of the breach of policy by the CA in question. > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: How long to resolve unaudited unconstrained intermediates?
By the way, I just noticed on https://crt.sh/mozilla-disclosures#undisclosed that CA certificates with an EKU of eMailProtection (1.3.6.1.5.5.7.3.4) are now listed when they weren't required to be listed previously. Presumably CAs will be given ample time to update these entries. -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+ben=digicert@lists.mozilla.org] On Behalf Of Nick Lamb via dev-security-policy Sent: Tuesday, July 11, 2017 7:57 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: How long to resolve unaudited unconstrained intermediates? On Tuesday, 11 July 2017 10:56:43 UTC+1, Kurt Roeckx wrote:> > So at least some of them have been notified more than 3 months ago, > and a bug was filed a month later. I think you already gave them too > much time to at least respond to it, and suggest that you sent a new > email indicating that if they don't respond immediately that they will > get added to OneCRL. Agreed. It may also make sense to add telemetry that allows Mozilla to determine whether listing such subCAs in the OneCRL are ever actually blocking anything. This makes a difference in my opinion as to the severity of the breach of policy by the CA in question. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: WoSign new system passed Cure 53 system security audit
On Tue, Jul 11, 2017 at 12:09 PM, Percy via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Tuesday, July 11, 2017 at 8:36:33 AM UTC-7, Ryan Sleevi wrote: > > > comply with the Baseline Requirements, nor, as designed, can it. The > system > > would need to undergo non-trivial effort to comply with the Baseline > > Requirements. > > If the system needs significant changes to meet the BR, then does it mean > the current security audit will no longer applies to the BR-complaint > system, assuming WoSign is ever able to produce one? That will be a question for Mozilla to assess with respect to its WoSign remediation actions. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: WoSign new system passed Cure 53 system security audit
On Tuesday, July 11, 2017 at 8:36:33 AM UTC-7, Ryan Sleevi wrote: > comply with the Baseline Requirements, nor, as designed, can it. The system > would need to undergo non-trivial effort to comply with the Baseline > Requirements. If the system needs significant changes to meet the BR, then does it mean the current security audit will no longer applies to the BR-complaint system, assuming WoSign is ever able to produce one? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: WoSign new system passed Cure 53 system security audit
On Tue, Jul 11, 2017 at 11:40 AM, Alex Gaynor wrote: > Is this a correct summary: > > - The report included here is supposed to fulfill the network security > test portion of the BRs > No. This is #5 from https://bugzilla.mozilla.org/show_bug.cgi?id=1311824 , and relates to the overall security design of the system which in part stemmed from issues such as the ability to cause arbitrary (backdated) issuance via manipulation of API parameters. That is, it's orthogonal to the BRs, and intended to take a more systemic approach to the system design. > - This report does not attest to BR compliance (or non-compliance) > Correct > - To complete an application for the Mozilla Root Program, WoSign would be > required to additionally provide a WebTrust audit (or equivalent, as > described in the Mozilla PKI Policy section 3.1) > Correct, as required by #3 and #4. > - Based on your reading of the complete network security test, you would > not expect WoSign to be able to pass a BR Audit without qualifications > Correct. > > Alex > > On Tue, Jul 11, 2017 at 11:35 AM, Ryan Sleevi via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> On Tue, Jul 11, 2017 at 11:16 AM, Jonathan Rudenberg via >> dev-security-policy wrote: >> >> > >> > > On Jul 11, 2017, at 06:53, okaphone.elektronika--- via >> > dev-security-policy wrote: >> > > >> > > On Monday, 10 July 2017 08:55:38 UTC+2, Richard Wang wrote: >> > >> >> > >> Please note this email topic is just for releasing the news that >> WoSign >> > new system passed the security audit, just for demonstration that we >> > finished item 5: >> > >> " 5. Provide auditor[3] attestation that a full security audit of the >> > CA’s issuing infrastructure has been successfully completed. " >> > >> " [3] The auditor must be an external company, and approved by >> Mozilla. >> > " >> > > >> > > It also seems a bit strange to report item 5 "successfully completed" >> > before we hear anything about the other items. How about starting with >> item >> > 1? What are your plans voor fixing the problems? >> > >> > It’s worth noting that the problems have not stopped yet. There are a >> > bunch of certificates issued over the past few months that do not comply >> > with the Baseline Requirements issued from the new "StartCom BR SSL >> ICA”, >> > for example: >> > >> > https://crt.sh/?opt=cablint&q=8BDFE4A526BFB35C8A417B10F4D0AB >> > E9E1D60D28A412539D5BC71C19B46FEF21 >> > https://crt.sh/?opt=cablint&q=124AAD38DAAC6B694D65F45226AB51 >> > 52FC46D229CBC203E0814D175F39977FF3 >> > https://crt.sh/?opt=cablint&q=9B78C78B32F4AC717B3DEFDABDACC4 >> > FEFA61BFD17782B83F75ADD82241147721 >> > https://crt.sh/?opt=cablint&q=AAB0B5A08F106639A5C9D720CD37FD >> > B30E7F337AEBAF9407FD854B5726303F7B >> > https://crt.sh/?opt=cablint&q=9DCE6A924CE837328D379CE9B7CDF4 >> > A2BA8A0E8EC01018B9DE736EBC64442361 >> > https://crt.sh/?opt=cablint&q=62A9A9FDCDC04A043CF2CB1A5EAFE3 >> > 3CF9ED8796245DE4BD5250267ADEFF005A >> > https://crt.sh/?opt=cablint&q=6A72FA5DCC253D2EE07921898B9A9B >> > B263FD1D20FE61B1F52F939C0C1C0DCFEE >> > https://crt.sh/?opt=cablint&q=238E2E96665748D2A05BAAEEC8BAE6 >> > AFE7B7EF4B1ADA4908354C855C385ECD81 >> > https://crt.sh/?opt=cablint&q=C11C00EB0E14EEB30567D749FFD304 >> > 45E0B490D1DCA7B7E082FD1CB0A40A71C0 >> > https://crt.sh/?opt=cablint&q=4DEF4CFD21A969E8349E4428FDEC73 >> > 767C01DE6127843312511B71029F4E3836 >> >> >> It's worth noting that, on the basis of the security audit report full >> details shared by WoSign, the system that was security audited does not >> comply with the Baseline Requirements, nor, as designed, can it. The >> system >> would need to undergo non-trivial effort to comply with the Baseline >> Requirements. >> ___ >> dev-security-policy mailing list >> dev-security-policy@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-security-policy >> > > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: WoSign new system passed Cure 53 system security audit
Is this a correct summary: - The report included here is supposed to fulfill the network security test portion of the BRs - This report does not attest to BR compliance (or non-compliance) - To complete an application for the Mozilla Root Program, WoSign would be required to additionally provide a WebTrust audit (or equivalent, as described in the Mozilla PKI Policy section 3.1) - Based on your reading of the complete network security test, you would not expect WoSign to be able to pass a BR Audit without qualifications Alex On Tue, Jul 11, 2017 at 11:35 AM, Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Tue, Jul 11, 2017 at 11:16 AM, Jonathan Rudenberg via > dev-security-policy wrote: > > > > > > On Jul 11, 2017, at 06:53, okaphone.elektronika--- via > > dev-security-policy wrote: > > > > > > On Monday, 10 July 2017 08:55:38 UTC+2, Richard Wang wrote: > > >> > > >> Please note this email topic is just for releasing the news that > WoSign > > new system passed the security audit, just for demonstration that we > > finished item 5: > > >> " 5. Provide auditor[3] attestation that a full security audit of the > > CA’s issuing infrastructure has been successfully completed. " > > >> " [3] The auditor must be an external company, and approved by > Mozilla. > > " > > > > > > It also seems a bit strange to report item 5 "successfully completed" > > before we hear anything about the other items. How about starting with > item > > 1? What are your plans voor fixing the problems? > > > > It’s worth noting that the problems have not stopped yet. There are a > > bunch of certificates issued over the past few months that do not comply > > with the Baseline Requirements issued from the new "StartCom BR SSL ICA”, > > for example: > > > > https://crt.sh/?opt=cablint&q=8BDFE4A526BFB35C8A417B10F4D0AB > > E9E1D60D28A412539D5BC71C19B46FEF21 > > https://crt.sh/?opt=cablint&q=124AAD38DAAC6B694D65F45226AB51 > > 52FC46D229CBC203E0814D175F39977FF3 > > https://crt.sh/?opt=cablint&q=9B78C78B32F4AC717B3DEFDABDACC4 > > FEFA61BFD17782B83F75ADD82241147721 > > https://crt.sh/?opt=cablint&q=AAB0B5A08F106639A5C9D720CD37FD > > B30E7F337AEBAF9407FD854B5726303F7B > > https://crt.sh/?opt=cablint&q=9DCE6A924CE837328D379CE9B7CDF4 > > A2BA8A0E8EC01018B9DE736EBC64442361 > > https://crt.sh/?opt=cablint&q=62A9A9FDCDC04A043CF2CB1A5EAFE3 > > 3CF9ED8796245DE4BD5250267ADEFF005A > > https://crt.sh/?opt=cablint&q=6A72FA5DCC253D2EE07921898B9A9B > > B263FD1D20FE61B1F52F939C0C1C0DCFEE > > https://crt.sh/?opt=cablint&q=238E2E96665748D2A05BAAEEC8BAE6 > > AFE7B7EF4B1ADA4908354C855C385ECD81 > > https://crt.sh/?opt=cablint&q=C11C00EB0E14EEB30567D749FFD304 > > 45E0B490D1DCA7B7E082FD1CB0A40A71C0 > > https://crt.sh/?opt=cablint&q=4DEF4CFD21A969E8349E4428FDEC73 > > 767C01DE6127843312511B71029F4E3836 > > > It's worth noting that, on the basis of the security audit report full > details shared by WoSign, the system that was security audited does not > comply with the Baseline Requirements, nor, as designed, can it. The system > would need to undergo non-trivial effort to comply with the Baseline > Requirements. > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: WoSign new system passed Cure 53 system security audit
On Tue, Jul 11, 2017 at 11:16 AM, Jonathan Rudenberg via dev-security-policy wrote: > > > On Jul 11, 2017, at 06:53, okaphone.elektronika--- via > dev-security-policy wrote: > > > > On Monday, 10 July 2017 08:55:38 UTC+2, Richard Wang wrote: > >> > >> Please note this email topic is just for releasing the news that WoSign > new system passed the security audit, just for demonstration that we > finished item 5: > >> " 5. Provide auditor[3] attestation that a full security audit of the > CA’s issuing infrastructure has been successfully completed. " > >> " [3] The auditor must be an external company, and approved by Mozilla. > " > > > > It also seems a bit strange to report item 5 "successfully completed" > before we hear anything about the other items. How about starting with item > 1? What are your plans voor fixing the problems? > > It’s worth noting that the problems have not stopped yet. There are a > bunch of certificates issued over the past few months that do not comply > with the Baseline Requirements issued from the new "StartCom BR SSL ICA”, > for example: > > https://crt.sh/?opt=cablint&q=8BDFE4A526BFB35C8A417B10F4D0AB > E9E1D60D28A412539D5BC71C19B46FEF21 > https://crt.sh/?opt=cablint&q=124AAD38DAAC6B694D65F45226AB51 > 52FC46D229CBC203E0814D175F39977FF3 > https://crt.sh/?opt=cablint&q=9B78C78B32F4AC717B3DEFDABDACC4 > FEFA61BFD17782B83F75ADD82241147721 > https://crt.sh/?opt=cablint&q=AAB0B5A08F106639A5C9D720CD37FD > B30E7F337AEBAF9407FD854B5726303F7B > https://crt.sh/?opt=cablint&q=9DCE6A924CE837328D379CE9B7CDF4 > A2BA8A0E8EC01018B9DE736EBC64442361 > https://crt.sh/?opt=cablint&q=62A9A9FDCDC04A043CF2CB1A5EAFE3 > 3CF9ED8796245DE4BD5250267ADEFF005A > https://crt.sh/?opt=cablint&q=6A72FA5DCC253D2EE07921898B9A9B > B263FD1D20FE61B1F52F939C0C1C0DCFEE > https://crt.sh/?opt=cablint&q=238E2E96665748D2A05BAAEEC8BAE6 > AFE7B7EF4B1ADA4908354C855C385ECD81 > https://crt.sh/?opt=cablint&q=C11C00EB0E14EEB30567D749FFD304 > 45E0B490D1DCA7B7E082FD1CB0A40A71C0 > https://crt.sh/?opt=cablint&q=4DEF4CFD21A969E8349E4428FDEC73 > 767C01DE6127843312511B71029F4E3836 It's worth noting that, on the basis of the security audit report full details shared by WoSign, the system that was security audited does not comply with the Baseline Requirements, nor, as designed, can it. The system would need to undergo non-trivial effort to comply with the Baseline Requirements. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: WoSign new system passed Cure 53 system security audit
On Tuesday, July 11, 2017 at 8:16:50 AM UTC-7, Jonathan Rudenberg wrote: > > On Jul 11, 2017, at 06:53, okaphone.elektronika--- via dev-security-policy > > wrote: > > > > On Monday, 10 July 2017 08:55:38 UTC+2, Richard Wang wrote: > >> > >> Please note this email topic is just for releasing the news that WoSign > >> new system passed the security audit, just for demonstration that we > >> finished item 5: > >> " 5. Provide auditor[3] attestation that a full security audit of the CA’s > >> issuing infrastructure has been successfully completed. " > >> " [3] The auditor must be an external company, and approved by Mozilla. " > > > > It also seems a bit strange to report item 5 "successfully completed" > > before we hear anything about the other items. How about starting with item > > 1? What are your plans voor fixing the problems? > > It’s worth noting that the problems have not stopped yet. There are a bunch > of certificates issued over the past few months that do not comply with the > Baseline Requirements issued from the new "StartCom BR SSL ICA”, for example: > > https://crt.sh/?opt=cablint&q=8BDFE4A526BFB35C8A417B10F4D0ABE9E1D60D28A412539D5BC71C19B46FEF21 > https://crt.sh/?opt=cablint&q=124AAD38DAAC6B694D65F45226AB5152FC46D229CBC203E0814D175F39977FF3 > https://crt.sh/?opt=cablint&q=9B78C78B32F4AC717B3DEFDABDACC4FEFA61BFD17782B83F75ADD82241147721 > https://crt.sh/?opt=cablint&q=AAB0B5A08F106639A5C9D720CD37FDB30E7F337AEBAF9407FD854B5726303F7B > https://crt.sh/?opt=cablint&q=9DCE6A924CE837328D379CE9B7CDF4A2BA8A0E8EC01018B9DE736EBC64442361 > https://crt.sh/?opt=cablint&q=62A9A9FDCDC04A043CF2CB1A5EAFE33CF9ED8796245DE4BD5250267ADEFF005A > https://crt.sh/?opt=cablint&q=6A72FA5DCC253D2EE07921898B9A9BB263FD1D20FE61B1F52F939C0C1C0DCFEE > https://crt.sh/?opt=cablint&q=238E2E96665748D2A05BAAEEC8BAE6AFE7B7EF4B1ADA4908354C855C385ECD81 > https://crt.sh/?opt=cablint&q=C11C00EB0E14EEB30567D749FFD30445E0B490D1DCA7B7E082FD1CB0A40A71C0 > https://crt.sh/?opt=cablint&q=4DEF4CFD21A969E8349E4428FDEC73767C01DE6127843312511B71029F4E3836 I guess such mis-issurances are not covered by this security audit as the entry are done internally. But I hope that WoSign release the full security audit so that this community can evaluate objectively, rather than rely on so called summary. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: WoSign new system passed Cure 53 system security audit
> On Jul 11, 2017, at 06:53, okaphone.elektronika--- via dev-security-policy > wrote: > > On Monday, 10 July 2017 08:55:38 UTC+2, Richard Wang wrote: >> >> Please note this email topic is just for releasing the news that WoSign new >> system passed the security audit, just for demonstration that we finished >> item 5: >> " 5. Provide auditor[3] attestation that a full security audit of the CA’s >> issuing infrastructure has been successfully completed. " >> " [3] The auditor must be an external company, and approved by Mozilla. " > > It also seems a bit strange to report item 5 "successfully completed" before > we hear anything about the other items. How about starting with item 1? What > are your plans voor fixing the problems? It’s worth noting that the problems have not stopped yet. There are a bunch of certificates issued over the past few months that do not comply with the Baseline Requirements issued from the new "StartCom BR SSL ICA”, for example: https://crt.sh/?opt=cablint&q=8BDFE4A526BFB35C8A417B10F4D0ABE9E1D60D28A412539D5BC71C19B46FEF21 https://crt.sh/?opt=cablint&q=124AAD38DAAC6B694D65F45226AB5152FC46D229CBC203E0814D175F39977FF3 https://crt.sh/?opt=cablint&q=9B78C78B32F4AC717B3DEFDABDACC4FEFA61BFD17782B83F75ADD82241147721 https://crt.sh/?opt=cablint&q=AAB0B5A08F106639A5C9D720CD37FDB30E7F337AEBAF9407FD854B5726303F7B https://crt.sh/?opt=cablint&q=9DCE6A924CE837328D379CE9B7CDF4A2BA8A0E8EC01018B9DE736EBC64442361 https://crt.sh/?opt=cablint&q=62A9A9FDCDC04A043CF2CB1A5EAFE33CF9ED8796245DE4BD5250267ADEFF005A https://crt.sh/?opt=cablint&q=6A72FA5DCC253D2EE07921898B9A9BB263FD1D20FE61B1F52F939C0C1C0DCFEE https://crt.sh/?opt=cablint&q=238E2E96665748D2A05BAAEEC8BAE6AFE7B7EF4B1ADA4908354C855C385ECD81 https://crt.sh/?opt=cablint&q=C11C00EB0E14EEB30567D749FFD30445E0B490D1DCA7B7E082FD1CB0A40A71C0 https://crt.sh/?opt=cablint&q=4DEF4CFD21A969E8349E4428FDEC73767C01DE6127843312511B71029F4E3836 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: How long to resolve unaudited unconstrained intermediates?
On Tuesday, 11 July 2017 10:56:43 UTC+1, Kurt Roeckx wrote:> > So at least some of them have been notified more than 3 months ago, and > a bug was filed a month later. I think you already gave them too much > time to at least respond to it, and suggest that you sent a new email > indicating that if they don't respond immediately that they will get > added to OneCRL. Agreed. It may also make sense to add telemetry that allows Mozilla to determine whether listing such subCAs in the OneCRL are ever actually blocking anything. This makes a difference in my opinion as to the severity of the breach of policy by the CA in question. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: WoSign new system passed Cure 53 system security audit
On Monday, 10 July 2017 08:55:38 UTC+2, Richard Wang wrote: > > Please note this email topic is just for releasing the news that WoSign new > system passed the security audit, just for demonstration that we finished > item 5: > " 5. Provide auditor[3] attestation that a full security audit of the CA’s > issuing infrastructure has been successfully completed. " > " [3] The auditor must be an external company, and approved by Mozilla. " It also seems a bit strange to report item 5 "successfully completed" before we hear anything about the other items. How about starting with item 1? What are your plans voor fixing the problems? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: How long to resolve unaudited unconstrained intermediates?
On 2017-07-10 18:35, Alex Gaynor wrote: Hi all, I wanted to call some attention to a few intermediates which have been hanging out in the "Audit required" section for quite a while: https://crt.sh/mozilla-disclosures#disclosureincomplete Specifically, the TurkTrust and Firmaprofesional ones. Both have issues open in Bugzilla: - https://bugzilla.mozilla.org/show_bug.cgi?id=1367842 - https://bugzilla.mozilla.org/show_bug.cgi?id=1368171 However, neither appears to have seen any attention from the CAs in the past two months. Section 5.3.2 of the Mozilla Root Policy says they have a week to disclose the cert, however I'm a bit less clear on on what timeline they're required to provide the audit statements. We have a template for reminding about missing audits here: https://wiki.mozilla.org/CA:Email_templates#Disclosure_Incomplete_Email_Template As far as I know, this was first sent on the 3rd of April, see the thread with subject: "Automated email reminders about intermediate certs missing audit or CP/CPS". I don't think such reminders were sent a second time. So at least some of them have been notified more than 3 months ago, and a bug was filed a month later. I think you already gave them too much time to at least respond to it, and suggest that you sent a new email indicating that if they don't respond immediately that they will get added to OneCRL. Kurt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
