date:20180511

Re: question about DNS CAA and S/MIME certificates

2018-05-11 Thread Wayne Thayer via dev-security-policy

I created a new issue suggesting that we add this requirement to Mozilla
policy: https://github.com/mozilla/pkipolicy/issues/135

On Wed, May 9, 2018 at 4:59 PM Ryan Sleevi via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> On Wed, May 9, 2018 at 11:47 AM, Adrian R. via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > Hello,
> > this question is somewhat outside the current Baseline Requirements,
> but...
> >
> > wouldn't it be normal for the same CAA rules for server certificates to
> > also apply to client certificates when the email address is for a domain
> > that already has a valid CAA policy published in DNS?
> >
> >
> > RFC 6844 doesn't seem to make any distinction between server and S/MIME
> > client certificates, it combines them together by referring to
> certificates
> > "for that domain" as a whole.
> >
> >
> > i tested this last night - i obtained an email certificate from one of
> the
> > CAs participating here (not for this exact address though) and it was
> > happily issued even if CAA records authenticated by DNSSEC do not allow
> > their CA to issue for this domain.
> >
> > Now, this is technically not a mis-issuance because it was a proper
> > email-validated address and their CPS says that CAA is only checked for
> > server-type certificates. It doesn't say anything about CAA validation
> for
> > such client certificates.
> >
> > I got in touch with them and they seemed equally surprised by such
> > intended use case for CAA, so my second question is: is anyone actually
> > checking CAA records for client certificates where an email address is
> > included in the certificate subject info and the EKU includes Secure
> Email?
> >
> >
> > Or is CAA usually checked only for server-type certificates, even if RFC
> > 6844 refers to certificates "for that domain" as a whole?
> >
>
> CAs are generally only checking CAA when they're required to in order to be
> trusted.
>
> Right now, CAs are only required to check CAA for server-type certificates
> (by virtue of the Baseline Requirements Section 3.2.2.8).
> CAs are not presently being required to check CAA for e-mail. They can, but
> they are required to do it, so they are unlikely to do it.
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Root Store Policy 2.6

2018-05-11 Thread Wayne Thayer via dev-security-policy

We're concluding discussions on all of the issues identified for version
2.6 of the policy [1].

You can find a complete set of changes here:
https://github.com/mozilla/pkipolicy/compare/master...2.6

Two of the changes [2][3] require CAs to update their CP/CPS. For many CAs
the current practice is to wait for the next required annual review
(usually coinciding with their audit) to make CP/CPS changes. Do we want to
allow that practice to continue, or set a date by which we expect CP/CPSs
to reflect the new requirements? This was previously discussed [4], with
the outcome being that we would make these decisions on a case-by-case
basis.

- Wayne

[1]
https://github.com/mozilla/pkipolicy/issues?utf8=%E2%9C%93=label%3A2.6+
[2]
https://github.com/mozilla/pkipolicy/commit/e5269ff0d6ced93a6c6af65947712b8e4b2e18b8
[3]
https://github.com/mozilla/pkipolicy/commit/42ebde18794bc1690885bfdd4e3fb12e7c2c832b
[4]
https://groups.google.com/d/msg/mozilla.dev.security.policy/PYIAoh6W6x0/TT2u4wfoBQAJ

On Mon, Mar 19, 2018 at 10:15 PM Wayne Thayer  wrote:

> There are 17 proposed changes in total for version 2.6 of the policy, and
> I'm about to kick off discussions on the first batch. I expect some of
> these to be straightforward while others will hopefully generate good
> dialogues. As always, everyone's constructive input is appreciated.
>
> Thanks,
>
> Wayne
>
> On Wed, Feb 21, 2018 at 9:14 AM, Wayne Thayer  wrote:
>
>> I've added the issue of subordinate CA transfers to the list for policy
>> version 2.6: https://github.com/mozilla/pkipolicy/issues/122
>>
>>
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.6 Proposal: Update Minimum Audit Versions

2018-05-11 Thread Wayne Thayer via dev-security-policy

My understanding of this discussion is that it is too soon to increase the
minimum required versions of EN 319 411-1 and 319 411-2. I will only make
the proposed change to the WebTrust EV version in the 2.6 policy update.

- Wayne

On Fri, May 11, 2018 at 12:19 PM  wrote:

> Thanks Peter, I think we are in agreement.
>
> Dimitris.
>
> -Original Message-
> From: "Peter Miškovič via dev-security-policy" <
> dev-security-policy@lists.mozilla.org>
> To: Dimitris Zacharopoulos , Wayne Thayer <
> wtha...@mozilla.com>, mozilla-dev-security-policy <
> mozilla-dev-security-pol...@lists.mozilla.org>
> Sent: Fri, 11 May 2018 12:53
> Subject: RE: Policy 2.6 Proposal: Update Minimum Audit Versions
>
> Hi Dimitris,
>
> the official list of ETSI published standards you can find at
> http://www.etsi.org/standards-search#Pre-defined%20Collections
>
> If you search for ETSI EN 319 411 you can find that only officially  ETSI
> published versions for ETSI EN 319 411-1 <3194111> were V1.1.1 (2016-02)
> and V1.2.2 (2018-04). Any other version, according document history on the
> last page of standard, were version for  EN approval Procedure (V1.2.0) or
> Vote (V1.2.1).  It means that versions 1.2.0 and 1.2.1 were not officially
> published by ETSI.
>
> For ETSI EN 319 411-2 <3194112> you can find that only official ETSI
> published version were versions V2.1.1 (2016-02) and V2.2.2 (2018-04).
>
> According this the minimal requirements should looks like:
>
> “Trust Service Providers practice” in ETSI EN 319 411-1 <3194111> version
> 1.1.1 or version 1.2.2 or later ETSI officially published version.
> “Trust Service Providers practice” in ETSI EN 319 411-2 <3194112>
> version 2.1.1  or version 2.2.2 or later ETSI officially published version
>
> Regards
> Peter
>
>
>
>
> -Original Message-
> From: Dimitris Zacharopoulos 
> Sent: Friday, May 11, 2018 7:23 AM
> To: Peter Miškovič ; Wayne Thayer <
> wtha...@mozilla.com>; mozilla-dev-security-policy <
> mozilla-dev-security-pol...@lists.mozilla.org>
> Subject: Re: Policy 2.6 Proposal: Update Minimum Audit Versions
>
> Hello Peter,
>
> These were very recently published however not everyone is tracking down
> ETSI updates by registering to the mailing lists. The main question is
> where can you find the authoritative document *list*? I though the official
> list is https://portal.etsi.org/TBSiteMap/ESI/TrustServiceProviders.aspx.
>
> Also, were there any other versions published before 1.2.2? The
> recommendation says "1.2 or later". Where are the versions 1.2.0, 1.2.1
> published?
>
> Thanks,
> Dimitris.
>
> On 11/5/2018 8:13 πμ, Peter Miškovič via dev-security-policy wrote:
> > There were published a new versions of both ETSI standards:
> >
> > ETSI EN 319 411-1 <3194111> V1.2.2 adopted on April 23, 2018
> > http://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.02.02_60
> > /en_31941101v010202p.pdf
> >
> > ETSI EN 319 411-2 <3194112> V2.2.2 adopted on April 23, 2018
> > http://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.02.02_60
> > /en_31941102v020202p.pdf
> >
> > Peter
> >
> > -Original Message-
> > From: dev-security-policy
> >  > > On Behalf Of Wayne Thayer via dev-security-policy
> > Sent: Thursday, May 10, 2018 5:04 PM
> > To: mozilla-dev-security-policy
> > 
> > Subject: Policy 2.6 Proposal: Update Minimum Audit Versions
> >
> > After consulting with representatives from WebTrust and ETSI, I
> > propose that we update the minimum required versions of audit criteria
> > in section
> > 3.1.1 as follows:
> >
> > - WebTrust "Principles and Criteria for Certification Authorities -
> > Extended Validation SSL" from 1.4.5 to 1.6.0 or later
> > - “Trust Service Providers practice” in ETSI EN 319 411-1 <3194111>
> from 1.1.1
> > to 1.2 or later
> > - “Trust Service Providers practice” in ETSI EN 319 411-2 <3194112>
> from 2.1.1
> > to
> > 2.2 or later
> >
> > These newer versions were all published last year and should be the
> minimum for audits completed from now on.
> >
> > Please respond with any concerns you have about this update to our root
> store policy.
> >
> > - Wayne
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: FW: Bit encoding (AW: Policy 2.6 Proposal: Add prohibition on CA key generation to policy)

2018-05-11 Thread Wayne Thayer via dev-security-policy

Doug,

On Thu, May 10, 2018 at 10:57 AM Doug Beattie 
wrote:

> Hi Wayne,
>
>
>
> I’m OK with this as long as this permits the password (fully or partially
> generated by the CA) and PKCS#12 file to be picked up by a user over HTTPS
> (a single channel).
>
>
>
This language is not intended to permit both the password and PKCS#12 file
to be transmitted over HTTPS. In an earlier message I said that I'd like to
hear from other CAs who feel that this exception is necessary, but none
have commented. Given the difficultly in carving out an exception limited
to the scenario you described and the [perhaps marginal] increase in
security that this requirement provides even in your scenario, I'm not
inclined to try to accommodate it.

If the proposed language is not clear in stating that the password and
PKCS#12 file cannot both be transmitted over HTTPS, please let me know.

Doug
>
>
>
>
>
> *From:* Wayne Thayer [mailto:wtha...@mozilla.com]
> *Sent:* Wednesday, May 9, 2018 11:43 PM
> *To:* Doug Beattie 
> *Cc:* mozilla-dev-security-policy <
> mozilla-dev-security-pol...@lists.mozilla.org>
> *Subject:* Re: FW: Bit encoding (AW: Policy 2.6 Proposal: Add prohibition
> on CA key generation to policy)
>
>
>
>
>
> I think we have settled on the following resolution to this issue:
>
>
>
> Add the following to section 5.2 (Forbidden and Required Practices):
>
>
>
> CAs MUST NOT generate the key pairs for end-entity certificates that have
> an EKU extension containing the KeyPurposeIds id-kp-serverAuth or
>
> anyExtendedKeyUsage.
>
>
>
> PKCS#12 files must employ an encryption key and algorithm that is
> sufficiently strong to protect the key pair for its useful life based on
> current guidelines published by a recognized standards body. PKCS#12 files
> MUST be encrypted and signed; or, MUST have a password that exhibits at
> least 112 bits of entropy, and the password MUST be transferred using a
> different channel than the PKCS#12 file.
>
>
>
> Unless there is further discussion, I will include this language in the
> final version of the policy.
>
>
>
> - Wayne
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: Policy 2.6 Proposal: Update Minimum Audit Versions

2018-05-11 Thread Dimitris Zacharopoulos via dev-security-policy

Thanks Peter, I think we are in agreement. 

Dimitris. 

-Original Message-
From: "Peter Miškovič via dev-security-policy" 

To: Dimitris Zacharopoulos , Wayne Thayer 
, mozilla-dev-security-policy 

Sent: Fri, 11 May 2018 12:53
Subject: RE: Policy 2.6 Proposal: Update Minimum Audit Versions

Hi Dimitris,

the official list of ETSI published standards you can find at 
http://www.etsi.org/standards-search#Pre-defined%20Collections

If you search for ETSI EN 319 411 you can find that only officially  ETSI 
published versions for ETSI EN 319 411-1 were V1.1.1 (2016-02) and V1.2.2 
(2018-04). Any other version, according document history on the last page of 
standard, were version for  EN approval Procedure (V1.2.0) or Vote (V1.2.1).  
It means that versions 1.2.0 and 1.2.1 were not officially published by ETSI. 

For ETSI EN 319 411-2 you can find that only official ETSI published version 
were versions V2.1.1 (2016-02) and V2.2.2 (2018-04). 

According this the minimal requirements should looks like:

“Trust Service Providers practice” in ETSI EN 319 411-1 version 1.1.1 or 
version 1.2.2 or later ETSI officially published version.
“Trust Service Providers practice” in ETSI EN 319 411-2  version 2.1.1  or 
version 2.2.2 or later ETSI officially published version

Regards
Peter

-Original Message-
From: Dimitris Zacharopoulos  
Sent: Friday, May 11, 2018 7:23 AM
To: Peter Miškovič ; Wayne Thayer 
; mozilla-dev-security-policy 

Subject: Re: Policy 2.6 Proposal: Update Minimum Audit Versions

Hello Peter,

These were very recently published however not everyone is tracking down ETSI 
updates by registering to the mailing lists. The main question is where can you 
find the authoritative document *list*? I though the official list is 
https://portal.etsi.org/TBSiteMap/ESI/TrustServiceProviders.aspx.

Also, were there any other versions published before 1.2.2? The recommendation 
says "1.2 or later". Where are the versions 1.2.0, 1.2.1 published?

Thanks,
Dimitris.

On 11/5/2018 8:13 πμ, Peter Miškovič via dev-security-policy wrote:
> There were published a new versions of both ETSI standards:
>
> ETSI EN 319 411-1 V1.2.2 adopted on April 23, 2018 
> http://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.02.02_60
> /en_31941101v010202p.pdf
>
> ETSI EN 319 411-2 V2.2.2 adopted on April 23, 2018 
> http://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.02.02_60
> /en_31941102v020202p.pdf
>
> Peter
>
> -Original Message-
> From: dev-security-policy 
>  > On Behalf Of Wayne Thayer via dev-security-policy
> Sent: Thursday, May 10, 2018 5:04 PM
> To: mozilla-dev-security-policy 
> 
> Subject: Policy 2.6 Proposal: Update Minimum Audit Versions
>
> After consulting with representatives from WebTrust and ETSI, I 
> propose that we update the minimum required versions of audit criteria 
> in section
> 3.1.1 as follows:
>
> - WebTrust "Principles and Criteria for Certification Authorities - 
> Extended Validation SSL" from 1.4.5 to 1.6.0 or later
> - “Trust Service Providers practice” in ETSI EN 319 411-1 from 1.1.1 
> to 1.2 or later
> - “Trust Service Providers practice” in ETSI EN 319 411-2  from 2.1.1 
> to
> 2.2 or later
>
> These newer versions were all published last year and should be the minimum 
> for audits completed from now on.
>
> Please respond with any concerns you have about this update to our root store 
> policy.
>
> - Wayne
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: Policy 2.6 Proposal: Update Minimum Audit Versions

2018-05-11 Thread Peter Miškovič via dev-security-policy

Hi Dimitris,

the official list of ETSI published standards you can find at 
http://www.etsi.org/standards-search#Pre-defined%20Collections

If you search for ETSI EN 319 411 you can find that only officially  ETSI 
published versions for ETSI EN 319 411-1 were V1.1.1 (2016-02) and V1.2.2 
(2018-04). Any other version, according document history on the last page of 
standard, were version for  EN approval Procedure (V1.2.0) or Vote (V1.2.1).  
It means that versions 1.2.0 and 1.2.1 were not officially published by ETSI. 

For ETSI EN 319 411-2 you can find that only official ETSI published version 
were versions V2.1.1 (2016-02) and V2.2.2 (2018-04). 

According this the minimal requirements should looks like:

“Trust Service Providers practice” in ETSI EN 319 411-1 version 1.1.1 or 
version 1.2.2 or later ETSI officially published version.
“Trust Service Providers practice” in ETSI EN 319 411-2  version 2.1.1  or 
version 2.2.2 or later ETSI officially published version

Regards
Peter

-Original Message-
From: Dimitris Zacharopoulos  
Sent: Friday, May 11, 2018 7:23 AM
To: Peter Miškovič ; Wayne Thayer 
; mozilla-dev-security-policy 

Subject: Re: Policy 2.6 Proposal: Update Minimum Audit Versions

Hello Peter,

These were very recently published however not everyone is tracking down ETSI 
updates by registering to the mailing lists. The main question is where can you 
find the authoritative document *list*? I though the official list is 
https://portal.etsi.org/TBSiteMap/ESI/TrustServiceProviders.aspx.

Also, were there any other versions published before 1.2.2? The recommendation 
says "1.2 or later". Where are the versions 1.2.0, 1.2.1 published?

Thanks,
Dimitris.

On 11/5/2018 8:13 πμ, Peter Miškovič via dev-security-policy wrote:
> There were published a new versions of both ETSI standards:
>
> ETSI EN 319 411-1 V1.2.2 adopted on April 23, 2018 
> http://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.02.02_60
> /en_31941101v010202p.pdf
>
> ETSI EN 319 411-2 V2.2.2 adopted on April 23, 2018 
> http://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.02.02_60
> /en_31941102v020202p.pdf
>
> Peter
>
> -Original Message-
> From: dev-security-policy 
>  > On Behalf Of Wayne Thayer via dev-security-policy
> Sent: Thursday, May 10, 2018 5:04 PM
> To: mozilla-dev-security-policy 
> 
> Subject: Policy 2.6 Proposal: Update Minimum Audit Versions
>
> After consulting with representatives from WebTrust and ETSI, I 
> propose that we update the minimum required versions of audit criteria 
> in section
> 3.1.1 as follows:
>
> - WebTrust "Principles and Criteria for Certification Authorities - 
> Extended Validation SSL" from 1.4.5 to 1.6.0 or later
> - “Trust Service Providers practice” in ETSI EN 319 411-1 from 1.1.1 
> to 1.2 or later
> - “Trust Service Providers practice” in ETSI EN 319 411-2  from 2.1.1 
> to
> 2.2 or later
>
> These newer versions were all published last year and should be the minimum 
> for audits completed from now on.
>
> Please respond with any concerns you have about this update to our root store 
> policy.
>
> - Wayne
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: question about DNS CAA and S/MIME certificates

Re: Root Store Policy 2.6

Re: Policy 2.6 Proposal: Update Minimum Audit Versions

Re: FW: Bit encoding (AW: Policy 2.6 Proposal: Add prohibition on CA key generation to policy)

RE: Policy 2.6 Proposal: Update Minimum Audit Versions

RE: Policy 2.6 Proposal: Update Minimum Audit Versions

6 matches

Site Navigation

Mail list logo

Footer information