Re: Chunghwa Telecom eCA Root Inclusion Request
While I sincerely appreciate the efforts of Chunghwa Telecom to respond to questions and to remediate some of the issues that were identified here, this discussion ha made it clear that this request should be denied. There is a significant degree of misissuance associated with this root, some of the misissuance was intentional, and remediation did not occur until the problems were called out. I will resolve the inclusion bug as WONTFIX. Chunghwa Telecom is encouraged to create a new root that is free of these issues and to apply for the inclusion of that new root in the Mozilla program. - Wayne On Sat, Jul 14, 2018 at 5:26 AM lcchen.cissp--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Wayne Thayer於 2018年7月14日星期六 UTC+8上午1時16分58秒寫道: > > > In effect, this is saying that CAs should be permitted to break > > well-defined rules when they find them inconvenient. This is the second > > example in which Chunghwa Telecom has argued that it's okay to do this > > (along with the Taiwan State/Locality issue). While I can sympathize with > > Chunghwa Telecom's reason for doing this, it is quite troubling because > it > > implies that Chunghwa Telecom may be willing to ignore any of the rules > > they disagree with. > > > I disagree that the discussion string referenced above did not reach a > > conclusion. A number of interoperability concerns were raised, causing > the > > proposal to be rejected. By violating RFC 5280 in this manner, Chunghwa > > Telecom has created an additional burden and risk for Mozilla by > expecting > > our software to accommodate non-standards-compliant certificates. > > Dear Wayne, > >We used automated tools (base on zlint, x509lint)to check all to be > signed SSL certificates from June 22, 2018. So there will be no SSL > certificates of those two issues in the future. > >Our vetting person had checked the mainstream browsers such as Firefox > before RA Officer approved the certificate Request of crt.sh ID 336874396. > There are no issue for longer than 64 characters of OU in Firefox such as > https://mail.gov.vc/. He just asked me to help to express his thought for > discussion. > > > Sincerely Yours, > > Li-Chun > > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Audit Reminder Email Summary
Forwarded Message Subject: Summary of July 2018 Audit Reminder Emails Date: Tue, 17 Jul 2018 19:00:10 + (GMT) Mozilla: Audit Reminder Root Certificates: LuxTrust Global Root 2 Standard Audit: https://www.luxtrust.lu/upload/data/repository/attestation_letter_luxtrust_2017_s.pdf Audit Statement Date: 2017-07-24 BR Audit: https://www.luxtrust.lu/upload/data/repository/attestation_letter_luxtrust_2017_s.pdf BR Audit Statement Date: 2017-07-24 EV Audit: https://www.luxtrust.lu/upload/data/repository/attestation_letter_luxtrust_2017_s.pdf EV Audit Statement Date: 2017-07-24 CA Comments: null Mozilla: Audit Reminder Root Certificates: Atos TrustedRoot 2011 Standard Audit: https://www.mydqs.com/kunden/kundendatenbank.html?aoemydqs%5BrequestId%5D=europev2-DQS-00DCD7AE71E211E7B653005056A04F41-_v2%5BdownloadKey%5D=91bdb1288df96a7e719d7ebcad82dc822d5b1a65%5Baction%5D=downloadDocument=f4c93332780df1788265 Audit Statement Date: 2017-06-14 BR Audit: https://www.mydqs.com/kunden/kundendatenbank.html?aoemydqs%5BrequestId%5D=europev2-DQS-00DCD7AE71E211E7B653005056A04F41-_v2%5BdownloadKey%5D=91bdb1288df96a7e719d7ebcad82dc822d5b1a65%5Baction%5D=downloadDocument=f4c93332780df1788265 BR Audit Statement Date: 2017-06-14 CA Comments: null Mozilla: Audit Reminder Root Certificates: Chambers of Commerce Root Chambers of Commerce Root - 2008 Global Chambersign Root Global Chambersign Root - 2008 Standard Audit: https://cert.webtrust.org/SealFile?seal=2283=pdf Audit Statement Date: 2017-07-10 BR Audit: https://cert.webtrust.org/SealFile?seal=2284=pdf BR Audit Statement Date: 2017-07-10 EV Audit: https://cert.webtrust.org/SealFile?seal=2285=pdf EV Audit Statement Date: 2017-07-10 CA Comments: null Mozilla: Audit Reminder Root Certificates: AC Raíz Certicámara S.A. Standard Audit: https://cert.webtrust.org/SealFile?seal=2333=pdf Audit Statement Date: 2017-08-09 CA Comments: null Mozilla: Audit Reminder Root Certificates: Certinomis - Root CA Standard Audit: https://bug937589.bmoattachments.org/attachment.cgi?id=8898169 Audit Statement Date: 2017-07-24 BR Audit: https://bug937589.bmoattachments.org/attachment.cgi?id=8898169 BR Audit Statement Date: 2017-07-24 CA Comments: null Mozilla: Audit Reminder Root Certificates: COMODO RSA Certification Authority USERTrust ECC Certification Authority AAA Certificate Services AddTrust Class 1 CA Root AddTrust External CA Root COMODO Certification Authority COMODO ECC Certification Authority UTN-USERFirst-Client Authentication and Email USERTrust RSA Certification Authority Standard Audit: https://cert.webtrust.org/SealFile?seal=2270=pdf Audit Statement Date: 2017-06-02 BR Audit: https://cert.webtrust.org/SealFile?seal=2274=pdf BR Audit Statement Date: 2017-06-02 BR Audit: BR Audit Statement Date: EV Audit: https://cert.webtrust.org/SealFile?seal=2272=pdf EV Audit Statement Date: 2017-06-02 CA Comments: null Mozilla: Audit Reminder Root Certificates: GlobalSign GlobalSign GlobalSign Root CA GlobalSign Extended Validation CA - SHA256 - G2 Standard Audit: https://cert.webtrust.org/SealFile?seal=2287=pdf Audit Statement Date: 2017-07-26 BR Audit: https://cert.webtrust.org/SealFile?seal=2338=pdf BR Audit Statement Date: 2017-09-22 EV Audit: https://cert.webtrust.org/SealFile?seal=2288=pdf EV Audit Statement Date: 2017-07-26 CA Comments: null Mozilla: Audit Reminder Root Certificates: ACCVRAIZ1 Standard Audit: https://cert.webtrust.org/SealFile?seal=2299=pdf Audit Statement Date: 2017-07-28 BR Audit: https://cert.webtrust.org/SealFile?seal=2300=pdf BR Audit Statement Date: 2017-07-28 CA Comments: Per CA request, Root CA Generalitat Valenciana will be removed via https://bugzilla.mozilla.org/show_bug.cgi?id=1272158 Mozilla: Audit Reminder Root Certificates: Izenpe.com Standard Audit: http://www.izenpe.eus/contenidos/informacion/auditorias_acreditaciones/en_def/adjuntos/6757_Izenpe_Browser_Attestation_2017.pdf Audit Statement Date: 2017-07-25 BR Audit: http://www.izenpe.eus/contenidos/informacion/auditorias_acreditaciones/en_def/adjuntos/6757_Izenpe_Browser_Attestation_2017.pdf BR Audit Statement Date: 2017-07-25 EV Audit: http://www.izenpe.eus/contenidos/informacion/auditorias_acreditaciones/en_def/adjuntos/6757_Izenpe_Browser_Attestation_2017.pdf EV Audit Statement Date: 2017-07-25 CA Comments: null Mozilla: Audit Reminder Root Certificates: OpenTrust Root CA G1 OpenTrust Root CA G2 Certplus Root CA G1 Class 2 Primary CA OpenTrust Root CA G3 Certplus Root CA G2 Standard Audit: https://bug1297034.bmoattachments.org/attachment.cgi?id=8916590 Audit Statement Date: 2017-07-24 BR Audit: https://bug1297034.bmoattachments.org/attachment.cgi?id=8916590 BR Audit Statement Date: 2017-07-24 EV Audit: https://bug1297034.bmoattachments.org/attachment.cgi?id=8916590 EV Audit Statement Date: 2017-07-24 CA Comments: null
Re: Do We Now Require Separate Cross-certificates for SSL and S/MIME?
On Monday, July 16, 2018 at 7:25:09 PM UTC-4, Wayne Thayer wrote: > On Fri, Jul 13, 2018 at 3:50 PM Tim Hollebeek via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > Yeah, I agree I don’t think it was intended. But now that I am aware of > > the issue, I think the crossing workaround per EKU is actually a good thing > > for people to be doing. Unless someone can point out why it's bad ... > > > > > > > I'd like to consider any new restrictions on cross-certificates separately. > I've created https://github.com/mozilla/pkipolicy/issues/145 to track this > idea, and added that if we go that far we should also think about > restricting roots to either the Mozilla websites or email trust bit. > > Might want to give people a little more time to plan and adapt to that > > change though since I doubt anyone thought of it and people need planning > > runway to change their procedures if it is going to be interpreted this way. > > > > > > > It seems that we have agreement that the current change was not intended to > apply to cross certificates. I think that is the meaning of the existing > language, but it would be clearer if the final paragraph of section 5.3 was > amended to: > > These requirements include all intermediate certificates signed by > cross-certificates which chain to a certificate that is included in > Mozilla’s CA Certificate Program. > > Questions: > - does anyone object to that new wording? > - should the official policy be updated with this change prior to 1-Jan > when the requirement to separate usages of new intermediate certificates > goes into effect, or can this wait since it is only a clarification? Since this is only a clarification, then I think the change can wait until the next update of the Mozilla policy. Thanks, Bruce. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy