Re: Francisco Partners acquires Comodo certificate authority business
On Tuesday, October 31, 2017 at 9:22:09 AM UTC-4, Kyle Hamilton wrote: > http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business I did a little spot check. So yes they hired a person who was involved with Entrust, so that is a plus. The website says it is an IP carve out. OK. Does this translate into knowledge so a consumer can make a rational trust decision? I looked at their most recent CPS while shopping for a client email certificate. 3.2.7.1. Personal Secure Email Certificate The only identifying information in the subject DN is the email address of t he Subscriber. Comodo validates the right for the Applicant to use the submitted email address. This is achieved through the delivery via a challenge and response made to the email address submitted during the Certificate application. Comodo validates that the Applicant holds the private key corresponding with a public key to be included in the Certificate by utilizing an online enrollment process whereby Comodo facilitates the Subscriber generating its key pair using a specially crafted web page. The key pair is generated in the Subscriber’s computer. The private key is not exported or transferred from the Subscriber’s computer as part of the application process. This was previously "Free" and now is billed at $12, but no matter. I clicked on the chat window and spoke to a technical support rep. I asked what NIST Level of Assurance was the S/MIME certificate, after about 10 minutes I got the answer, which was LOA 3. So as a consumer I was just told I could get a NIST LOA 3 S/MIME client and signing certificate for $12, that according to the website also would be trusted by Mozilla, etc. Of course I know that's not possible, and we can't always expect random support people to give the right answer. So what is the value add here from Francisco Partners, other than the previously "Free" certificate is now $12 and claimed to be at LOA 3? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Acquisition policy (was: Francisco Partners acquires Comodo certificate authority business)
There's always a risk that a CA owner will create a security nightmare when we aren't looking, probationary period or not. In theory regular audits help to prevent it, but even in cases where they don't, people are free to raise concerns as they come up. I think we've had examples of exactly that in both StartCom and Symantec. Perhaps one way to think of it is: Do we have reason to believe that the acquiring organization, leadership, etc. will probably make good decisions in the furtherance of public trust on the Internet? For a company that is a complete unknown, I would say that no evidence exists and therefore a public review prior to the acquisition is appropriate. If we do have sufficient evidence, perhaps it's OK to let the acquisition go through and have a public discussion afterwards.The Francisco Partners situation is more complicated, however. Francisco Partners itself does not strike me as the sort of company that should own a CA but only because they are investors and not a public trust firm of some sort. That said, they are smart enough to bring in a leadership team that does have knowledge and experience in this space. Unfortunately, though, they are also bringing in a Deep Packet Inspection business which is antithetical to public trust. So what is one to conclude?The reporting that I've seen seem to indicate that Francisco Partners will not (will never?) combine PKI and DPI into a single business operation. They have to know that doing so would be ruinous to their CA investment. If we assume they know that and if we are willing to take them at their word, I suppose it's reasonable to "allow" the transfer as it relates to Mozilla policy. If we should learn later on that that trust was misplaced, I'm sure we will discuss it and take appropriate action at that time.From: westmail24--- via dev-security-policySent: Wednesday, November 8, 2017 7:50 PMTo: mozilla-dev-security-pol...@lists.mozilla.orgReply To: westmai...@gmail.comSubject: Acquisition policy (was: Francisco Partners acquires Comodo certificate authority business)Hello Peter, But what prevents Francisco Partners making security nightmare after the probationary period? This is logical, I think.Regards,Andrew___dev-security-policy mailing listdev-security-policy@lists.mozilla.orghttps://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Discrepancy in Included CAs and Included CA Certificates List
On 11/9/17 5:58 AM, cbonn...@trustwave.com wrote: Hello all, I was cross-referencing data contained in the "Included CAs" spreadsheet (https://wiki.mozilla.org/CA/Included_CAs) and the "Included CA Certificates" spreadsheet (https://wiki.mozilla.org/CA/Included_Certificates) and discovered that CNNIC is listed in the "Included CAs" spreadsheet but has no roots listed in the "Included CA Certificates" spreadsheet. It appears that CNNIC is the only CA that does not appear in both spreadsheets. Is this discrepancy intentional? Thanks, Corey Bonnell Thanks for checking, and for reporting this. It has been fixed. Thanks! Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Discrepancy in Included CAs and Included CA Certificates List
Hello all, I was cross-referencing data contained in the "Included CAs" spreadsheet (https://wiki.mozilla.org/CA/Included_CAs) and the "Included CA Certificates" spreadsheet (https://wiki.mozilla.org/CA/Included_Certificates) and discovered that CNNIC is listed in the "Included CAs" spreadsheet but has no roots listed in the "Included CA Certificates" spreadsheet. It appears that CNNIC is the only CA that does not appear in both spreadsheets. Is this discrepancy intentional? Thanks, Corey Bonnell ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Incident report - ROCA fingerprints in certificates issued by Comodo CA (was Re: RSA key generation vulnerability in Infineon firmware)
On 09/11/17 13:09, Rob Stradling via dev-security-policy wrote: On 06/11/17 22:26, Rob Stradling via dev-security-policy wrote: On Monday 6th November, we scanned the certificates that we'd issued between 20th October and 5th November. 8 further server authentication certificates were found, all for subdomains of the same registered domain. We will get these revoked and then post the details. The 8 further certs have been revoked and submitted to some CT logs. They're all related to the same registered domain (kindermorgan.com). There's yet another SCADA reference ("OU=IT SCADA"). https://crt.id/?id=250561714 https://crt.id/?id=250561721 https://crt.id/?id=250561722 https://crt.id/?id=250561723 https://crt.id/?id=250561724 https://crt.id/?id=250561725 https://crt.id/?id=250561728 https://crt.id/?id=250561731 Sorry for the URL construction fail. The correct URLs are: https://crt.sh/?id=250561714 https://crt.sh/?id=250561721 https://crt.sh/?id=250561722 https://crt.sh/?id=250561723 https://crt.sh/?id=250561724 https://crt.sh/?id=250561725 https://crt.sh/?id=250561728 https://crt.sh/?id=250561731 -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Incident report - ROCA fingerprints in certificates issued by Comodo CA (was Re: RSA key generation vulnerability in Infineon firmware)
On 06/11/17 22:26, Rob Stradling via dev-security-policy wrote: On Monday 6th November, we scanned the certificates that we'd issued between 20th October and 5th November. 8 further server authentication certificates were found, all for subdomains of the same registered domain. We will get these revoked and then post the details. The 8 further certs have been revoked and submitted to some CT logs. They're all related to the same registered domain (kindermorgan.com). There's yet another SCADA reference ("OU=IT SCADA"). https://crt.id/?id=250561714 https://crt.id/?id=250561721 https://crt.id/?id=250561722 https://crt.id/?id=250561723 https://crt.id/?id=250561724 https://crt.id/?id=250561725 https://crt.id/?id=250561728 https://crt.id/?id=250561731 -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy