Re: question about DNS CAA and S/MIME certificates
I created a new issue suggesting that we add this requirement to Mozilla policy: https://github.com/mozilla/pkipolicy/issues/135 On Wed, May 9, 2018 at 4:59 PM Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Wed, May 9, 2018 at 11:47 AM, Adrian R. via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > Hello, > > this question is somewhat outside the current Baseline Requirements, > but... > > > > wouldn't it be normal for the same CAA rules for server certificates to > > also apply to client certificates when the email address is for a domain > > that already has a valid CAA policy published in DNS? > > > > > > RFC 6844 doesn't seem to make any distinction between server and S/MIME > > client certificates, it combines them together by referring to > certificates > > "for that domain" as a whole. > > > > > > i tested this last night - i obtained an email certificate from one of > the > > CAs participating here (not for this exact address though) and it was > > happily issued even if CAA records authenticated by DNSSEC do not allow > > their CA to issue for this domain. > > > > Now, this is technically not a mis-issuance because it was a proper > > email-validated address and their CPS says that CAA is only checked for > > server-type certificates. It doesn't say anything about CAA validation > for > > such client certificates. > > > > I got in touch with them and they seemed equally surprised by such > > intended use case for CAA, so my second question is: is anyone actually > > checking CAA records for client certificates where an email address is > > included in the certificate subject info and the EKU includes Secure > Email? > > > > > > Or is CAA usually checked only for server-type certificates, even if RFC > > 6844 refers to certificates "for that domain" as a whole? > > > > CAs are generally only checking CAA when they're required to in order to be > trusted. > > Right now, CAs are only required to check CAA for server-type certificates > (by virtue of the Baseline Requirements Section 3.2.2.8). > CAs are not presently being required to check CAA for e-mail. They can, but > they are required to do it, so they are unlikely to do it. > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Root Store Policy 2.6
We're concluding discussions on all of the issues identified for version 2.6 of the policy [1]. You can find a complete set of changes here: https://github.com/mozilla/pkipolicy/compare/master...2.6 Two of the changes [2][3] require CAs to update their CP/CPS. For many CAs the current practice is to wait for the next required annual review (usually coinciding with their audit) to make CP/CPS changes. Do we want to allow that practice to continue, or set a date by which we expect CP/CPSs to reflect the new requirements? This was previously discussed [4], with the outcome being that we would make these decisions on a case-by-case basis. - Wayne [1] https://github.com/mozilla/pkipolicy/issues?utf8=%E2%9C%93=label%3A2.6+ [2] https://github.com/mozilla/pkipolicy/commit/e5269ff0d6ced93a6c6af65947712b8e4b2e18b8 [3] https://github.com/mozilla/pkipolicy/commit/42ebde18794bc1690885bfdd4e3fb12e7c2c832b [4] https://groups.google.com/d/msg/mozilla.dev.security.policy/PYIAoh6W6x0/TT2u4wfoBQAJ On Mon, Mar 19, 2018 at 10:15 PM Wayne Thayerwrote: > There are 17 proposed changes in total for version 2.6 of the policy, and > I'm about to kick off discussions on the first batch. I expect some of > these to be straightforward while others will hopefully generate good > dialogues. As always, everyone's constructive input is appreciated. > > Thanks, > > Wayne > > On Wed, Feb 21, 2018 at 9:14 AM, Wayne Thayer wrote: > >> I've added the issue of subordinate CA transfers to the list for policy >> version 2.6: https://github.com/mozilla/pkipolicy/issues/122 >> >> > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Policy 2.6 Proposal: Update Minimum Audit Versions
My understanding of this discussion is that it is too soon to increase the minimum required versions of EN 319 411-1 and 319 411-2. I will only make the proposed change to the WebTrust EV version in the 2.6 policy update. - Wayne On Fri, May 11, 2018 at 12:19 PMwrote: > Thanks Peter, I think we are in agreement. > > Dimitris. > > -Original Message- > From: "Peter Miškovič via dev-security-policy" < > dev-security-policy@lists.mozilla.org> > To: Dimitris Zacharopoulos , Wayne Thayer < > wtha...@mozilla.com>, mozilla-dev-security-policy < > mozilla-dev-security-pol...@lists.mozilla.org> > Sent: Fri, 11 May 2018 12:53 > Subject: RE: Policy 2.6 Proposal: Update Minimum Audit Versions > > Hi Dimitris, > > the official list of ETSI published standards you can find at > http://www.etsi.org/standards-search#Pre-defined%20Collections > > If you search for ETSI EN 319 411 you can find that only officially ETSI > published versions for ETSI EN 319 411-1 <3194111> were V1.1.1 (2016-02) > and V1.2.2 (2018-04). Any other version, according document history on the > last page of standard, were version for EN approval Procedure (V1.2.0) or > Vote (V1.2.1). It means that versions 1.2.0 and 1.2.1 were not officially > published by ETSI. > > For ETSI EN 319 411-2 <3194112> you can find that only official ETSI > published version were versions V2.1.1 (2016-02) and V2.2.2 (2018-04). > > According this the minimal requirements should looks like: > > “Trust Service Providers practice” in ETSI EN 319 411-1 <3194111> version > 1.1.1 or version 1.2.2 or later ETSI officially published version. > “Trust Service Providers practice” in ETSI EN 319 411-2 <3194112> > version 2.1.1 or version 2.2.2 or later ETSI officially published version > > Regards > Peter > > > > > -Original Message- > From: Dimitris Zacharopoulos > Sent: Friday, May 11, 2018 7:23 AM > To: Peter Miškovič ; Wayne Thayer < > wtha...@mozilla.com>; mozilla-dev-security-policy < > mozilla-dev-security-pol...@lists.mozilla.org> > Subject: Re: Policy 2.6 Proposal: Update Minimum Audit Versions > > Hello Peter, > > These were very recently published however not everyone is tracking down > ETSI updates by registering to the mailing lists. The main question is > where can you find the authoritative document *list*? I though the official > list is https://portal.etsi.org/TBSiteMap/ESI/TrustServiceProviders.aspx. > > Also, were there any other versions published before 1.2.2? The > recommendation says "1.2 or later". Where are the versions 1.2.0, 1.2.1 > published? > > Thanks, > Dimitris. > > On 11/5/2018 8:13 πμ, Peter Miškovič via dev-security-policy wrote: > > There were published a new versions of both ETSI standards: > > > > ETSI EN 319 411-1 <3194111> V1.2.2 adopted on April 23, 2018 > > http://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.02.02_60 > > /en_31941101v010202p.pdf > > > > ETSI EN 319 411-2 <3194112> V2.2.2 adopted on April 23, 2018 > > http://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.02.02_60 > > /en_31941102v020202p.pdf > > > > Peter > > > > -Original Message- > > From: dev-security-policy > > > > On Behalf Of Wayne Thayer via dev-security-policy > > Sent: Thursday, May 10, 2018 5:04 PM > > To: mozilla-dev-security-policy > > > > Subject: Policy 2.6 Proposal: Update Minimum Audit Versions > > > > After consulting with representatives from WebTrust and ETSI, I > > propose that we update the minimum required versions of audit criteria > > in section > > 3.1.1 as follows: > > > > - WebTrust "Principles and Criteria for Certification Authorities - > > Extended Validation SSL" from 1.4.5 to 1.6.0 or later > > - “Trust Service Providers practice” in ETSI EN 319 411-1 <3194111> > from 1.1.1 > > to 1.2 or later > > - “Trust Service Providers practice” in ETSI EN 319 411-2 <3194112> > from 2.1.1 > > to > > 2.2 or later > > > > These newer versions were all published last year and should be the > minimum for audits completed from now on. > > > > Please respond with any concerns you have about this update to our root > store policy. > > > > - Wayne > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: FW: Bit encoding (AW: Policy 2.6 Proposal: Add prohibition on CA key generation to policy)
Doug, On Thu, May 10, 2018 at 10:57 AM Doug Beattiewrote: > Hi Wayne, > > > > I’m OK with this as long as this permits the password (fully or partially > generated by the CA) and PKCS#12 file to be picked up by a user over HTTPS > (a single channel). > > > This language is not intended to permit both the password and PKCS#12 file to be transmitted over HTTPS. In an earlier message I said that I'd like to hear from other CAs who feel that this exception is necessary, but none have commented. Given the difficultly in carving out an exception limited to the scenario you described and the [perhaps marginal] increase in security that this requirement provides even in your scenario, I'm not inclined to try to accommodate it. If the proposed language is not clear in stating that the password and PKCS#12 file cannot both be transmitted over HTTPS, please let me know. Doug > > > > > > *From:* Wayne Thayer [mailto:wtha...@mozilla.com] > *Sent:* Wednesday, May 9, 2018 11:43 PM > *To:* Doug Beattie > *Cc:* mozilla-dev-security-policy < > mozilla-dev-security-pol...@lists.mozilla.org> > *Subject:* Re: FW: Bit encoding (AW: Policy 2.6 Proposal: Add prohibition > on CA key generation to policy) > > > > > > I think we have settled on the following resolution to this issue: > > > > Add the following to section 5.2 (Forbidden and Required Practices): > > > > CAs MUST NOT generate the key pairs for end-entity certificates that have > an EKU extension containing the KeyPurposeIds id-kp-serverAuth or > > anyExtendedKeyUsage. > > > > PKCS#12 files must employ an encryption key and algorithm that is > sufficiently strong to protect the key pair for its useful life based on > current guidelines published by a recognized standards body. PKCS#12 files > MUST be encrypted and signed; or, MUST have a password that exhibits at > least 112 bits of entropy, and the password MUST be transferred using a > different channel than the PKCS#12 file. > > > > Unless there is further discussion, I will include this language in the > final version of the policy. > > > > - Wayne > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Policy 2.6 Proposal: Update Minimum Audit Versions
Thanks Peter, I think we are in agreement. Dimitris. -Original Message- From: "Peter Miškovič via dev-security-policy"To: Dimitris Zacharopoulos , Wayne Thayer , mozilla-dev-security-policy Sent: Fri, 11 May 2018 12:53 Subject: RE: Policy 2.6 Proposal: Update Minimum Audit Versions Hi Dimitris, the official list of ETSI published standards you can find at http://www.etsi.org/standards-search#Pre-defined%20Collections If you search for ETSI EN 319 411 you can find that only officially ETSI published versions for ETSI EN 319 411-1 were V1.1.1 (2016-02) and V1.2.2 (2018-04). Any other version, according document history on the last page of standard, were version for EN approval Procedure (V1.2.0) or Vote (V1.2.1). It means that versions 1.2.0 and 1.2.1 were not officially published by ETSI. For ETSI EN 319 411-2 you can find that only official ETSI published version were versions V2.1.1 (2016-02) and V2.2.2 (2018-04). According this the minimal requirements should looks like: “Trust Service Providers practice” in ETSI EN 319 411-1 version 1.1.1 or version 1.2.2 or later ETSI officially published version. “Trust Service Providers practice” in ETSI EN 319 411-2 version 2.1.1 or version 2.2.2 or later ETSI officially published version Regards Peter -Original Message- From: Dimitris Zacharopoulos Sent: Friday, May 11, 2018 7:23 AM To: Peter Miškovič ; Wayne Thayer ; mozilla-dev-security-policy Subject: Re: Policy 2.6 Proposal: Update Minimum Audit Versions Hello Peter, These were very recently published however not everyone is tracking down ETSI updates by registering to the mailing lists. The main question is where can you find the authoritative document *list*? I though the official list is https://portal.etsi.org/TBSiteMap/ESI/TrustServiceProviders.aspx. Also, were there any other versions published before 1.2.2? The recommendation says "1.2 or later". Where are the versions 1.2.0, 1.2.1 published? Thanks, Dimitris. On 11/5/2018 8:13 πμ, Peter Miškovič via dev-security-policy wrote: > There were published a new versions of both ETSI standards: > > ETSI EN 319 411-1 V1.2.2 adopted on April 23, 2018 > http://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.02.02_60 > /en_31941101v010202p.pdf > > ETSI EN 319 411-2 V2.2.2 adopted on April 23, 2018 > http://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.02.02_60 > /en_31941102v020202p.pdf > > Peter > > -Original Message- > From: dev-security-policy > > On Behalf Of Wayne Thayer via dev-security-policy > Sent: Thursday, May 10, 2018 5:04 PM > To: mozilla-dev-security-policy > > Subject: Policy 2.6 Proposal: Update Minimum Audit Versions > > After consulting with representatives from WebTrust and ETSI, I > propose that we update the minimum required versions of audit criteria > in section > 3.1.1 as follows: > > - WebTrust "Principles and Criteria for Certification Authorities - > Extended Validation SSL" from 1.4.5 to 1.6.0 or later > - “Trust Service Providers practice” in ETSI EN 319 411-1 from 1.1.1 > to 1.2 or later > - “Trust Service Providers practice” in ETSI EN 319 411-2 from 2.1.1 > to > 2.2 or later > > These newer versions were all published last year and should be the minimum > for audits completed from now on. > > Please respond with any concerns you have about this update to our root store > policy. > > - Wayne > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Policy 2.6 Proposal: Update Minimum Audit Versions
Hi Dimitris, the official list of ETSI published standards you can find at http://www.etsi.org/standards-search#Pre-defined%20Collections If you search for ETSI EN 319 411 you can find that only officially ETSI published versions for ETSI EN 319 411-1 were V1.1.1 (2016-02) and V1.2.2 (2018-04). Any other version, according document history on the last page of standard, were version for EN approval Procedure (V1.2.0) or Vote (V1.2.1). It means that versions 1.2.0 and 1.2.1 were not officially published by ETSI. For ETSI EN 319 411-2 you can find that only official ETSI published version were versions V2.1.1 (2016-02) and V2.2.2 (2018-04). According this the minimal requirements should looks like: “Trust Service Providers practice” in ETSI EN 319 411-1 version 1.1.1 or version 1.2.2 or later ETSI officially published version. “Trust Service Providers practice” in ETSI EN 319 411-2 version 2.1.1 or version 2.2.2 or later ETSI officially published version Regards Peter -Original Message- From: Dimitris ZacharopoulosSent: Friday, May 11, 2018 7:23 AM To: Peter Miškovič ; Wayne Thayer ; mozilla-dev-security-policy Subject: Re: Policy 2.6 Proposal: Update Minimum Audit Versions Hello Peter, These were very recently published however not everyone is tracking down ETSI updates by registering to the mailing lists. The main question is where can you find the authoritative document *list*? I though the official list is https://portal.etsi.org/TBSiteMap/ESI/TrustServiceProviders.aspx. Also, were there any other versions published before 1.2.2? The recommendation says "1.2 or later". Where are the versions 1.2.0, 1.2.1 published? Thanks, Dimitris. On 11/5/2018 8:13 πμ, Peter Miškovič via dev-security-policy wrote: > There were published a new versions of both ETSI standards: > > ETSI EN 319 411-1 V1.2.2 adopted on April 23, 2018 > http://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.02.02_60 > /en_31941101v010202p.pdf > > ETSI EN 319 411-2 V2.2.2 adopted on April 23, 2018 > http://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.02.02_60 > /en_31941102v020202p.pdf > > Peter > > -Original Message- > From: dev-security-policy > > On Behalf Of Wayne Thayer via dev-security-policy > Sent: Thursday, May 10, 2018 5:04 PM > To: mozilla-dev-security-policy > > Subject: Policy 2.6 Proposal: Update Minimum Audit Versions > > After consulting with representatives from WebTrust and ETSI, I > propose that we update the minimum required versions of audit criteria > in section > 3.1.1 as follows: > > - WebTrust "Principles and Criteria for Certification Authorities - > Extended Validation SSL" from 1.4.5 to 1.6.0 or later > - “Trust Service Providers practice” in ETSI EN 319 411-1 from 1.1.1 > to 1.2 or later > - “Trust Service Providers practice” in ETSI EN 319 411-2 from 2.1.1 > to > 2.2 or later > > These newer versions were all published last year and should be the minimum > for audits completed from now on. > > Please respond with any concerns you have about this update to our root store > policy. > > - Wayne > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy