Re: OISTE WISeKey Global Root GC CA Root Inclusion Request

[Wayne Thayer via dev-security-policy]

Having received the audit reports covering the period from the creation of
this root, I would like to resume this discussion. Please post any
remaining comments that you have on this inclusion request by next Friday,
10-August.

- Wayne

On Tue, Jul 31, 2018 at 2:47 AM Pedro Fuentes via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> Hello,
> please note that if you didn't check this already, the above links only
> work now from the WISeKey website. You can access to the seals from the
> footer at any page at wisekey.com or you can use these direct links:
> Webtrust for CA:
> https://cdn.wisekey.com/uploads/images/Audit-Report-and-Management-Assertions.pdf
> Webtrust for BR/NS:
> https://cdn.wisekey.com/uploads/images/Audit-Report-and-Management-Assertions-SSL.pdf
> Thanks,
> Pedro
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Possible violation of CAA by nazwa.pl

[Wayne Thayer via dev-security-policy]

This discussion has covered a lot of ground. Here are my comments:

1. Nazwa is not independently audited, nor are they a member of the Mozilla
root program. I am also unable to locate any information that makes Nazwa
an Affiliate of Certum. I believe they are simply a Certum reseller. In
this instance CAA processing is required. Certum states that the CAA record
was validated, leaving me to conclude that Nazwa changed the CAA record
without the domain name registrant's permission.

2. Nazwa is generating the key pair. We recently discussed Trustico [1] and
concluded that - for resellers - this practice is discouraged but not
forbidden. I would encourage Certum to review the Trustico incident and
consider the implications of Nazwa's practices.

3. While I agree that "misissued" as currently used is a very broad term, I
think this is okay. It has meaning in context, and there's no handy word to
replace "misissued" when referring to certificates "issued in violation of
a policy".

4. I agree with Ryan that attempting to categorize misissuance is harmful
to the community. As proposed, it makes non-compliance for policy issues -
in fact, for anything the CA wants to argue isn't a security risk -
tolerable. This is a very slippery slope that ends with MUST == SHOULD.

5. I'm still working on a CAB Forum ballot that relaxes revocation
requirements to 5 days in many cases [2]. Now that governance reform is
mostly complete, I plan to move forward with this.

6. For the most part, I view the revocation of misissued certificates as a
CA's decision to either follow or willingly violate the BRs. It may be
tolerated when a CA chooses not to revoke (or delay revocation), but that
still reduces my confidence in the CA. The only case in which I think
Mozilla should consider relieving a CA of their obligation to revoke under
the BRs is when doing so would have a substantial negative impact on
Mozilla's users.

7. While it would be nice have a bright line for distrust decisions, I
don't know how to achieve that given the number of factors involved. The
manner in which a CA responds to an incident, past history, and the
specific nature of the incident are among the subjective elements that
affect those decisions.

- Wayne

[1]
https://groups.google.com/d/msg/mozilla.dev.security.policy/Xio6mrdxp2M/m38TJkblAgAJ
[2] https://github.com/cabforum/documents/compare/master...wthayer:patch-1

On Tue, Jul 31, 2018 at 8:38 AM Jeremy Rowley via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

>
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: GoDaddy Revocations Due to a Variety of Issues

[Wayne Thayer via dev-security-policy]

Thank you for this report Daymion. 3 of the issues were recent:

| e_dnsname_not_valid_tld,  |
 |
|e_subject_common_name_not_from_san,|
 |
|e_dnsname_bad_character_in_label   |4
|*7/5/18 11:48  |

I think the "e_dnsname_not_valid_tld" errors are false positives. 5 of the
6 certificates [1] are for the new .llc TLD and according to WHOIS were
issued after the FQDN was registered. The TLD hasn't yet been added to
zlint [2], triggering the error. The last one looks like the punycode
encoding in the SAN is triggering the error for the .рф TLD.

The other two errors are the result of SAN encoding that is, as Peter
described, not strictly a policy violation.

For the older issues, it's nice to see these older (most likely SHA-1 and
thus untrusted) certificates being cleaned up, but again I don't see any
policies being violated:

|BR certificates must be 39 months in validity or less  |27
 |4/1/15 13:07   |

The BR language is: "Except as provided for below, Subscriber Certificates
issued after 1 April 2015 MUST have a Validity Period no greater than 39
months"

The other 3 issues stopped occurring before Mozilla required BR compliance.

My conclusion is that there is no action required on Mozilla's behalf.

- Wayne

[1] https://crt.sh/?zlint=798&iCAID=904&minNotBefore=2018-01-01
[2] https://github.com/zmap/zlint/blob/master/data/newgtlds.txt

On Thu, Jul 26, 2018 at 10:26 AM Peter Bowen via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> On Wed, Jul 25, 2018 at 2:08 PM Joanna Fox via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > On Friday, July 20, 2018 at 9:39:04 PM UTC-7, Peter Bowen wrote:
> > > > *Total of 17 certificates issued in 2018 were revoked due to invalid
> > > > extended ascii characters.  CertLint was not catching these issues,
> > which
> > > > would have prevented issuance. We have since remediated these
> > problems, and
> > > > are adding zLint to our certificate issuance process as a second
> check.
> > > > Issued in 2018 certificate serial numbers 4329668077199547083,
> > > > 8815069853166416488, 8835430332440327484, 13229652153750393997,
> > > > 12375089233389451640, 11484792606267277228, 11919098489171585007,
> > > > 9486648889515633287, 14583473664717830410, 7612308405142602244,
> > > > 4011153125742917275, 6919066797946454186, 15449193186990222652,
> > > > 14380872970193550115, 1792501994142248245, 12601193235728728125,
> > > > 10465762057746987360
> > > > Cert.sh was unavailable when this was crafted else I would provide
> > links
> > > > to the 4 certs which were CT logged.
> > >
> > >
> > >  https://crt.sh/?id=294808610&opt=zlint,cablint is one of the
> > > certificates.  It is not clear to me that there is an error here.  The
> > DNS
> > > names in the SAN are correctly encoded and the Common Name in the
> subject
> > > has one of the names found in the SAN.  The Common Name contains a DNS
> > name
> > > that is the U-label form of one of the SAN entries.
> > >
> > > It is currently undefined if this is acceptable or unacceptable for
> > > certificates covered by the BRs.  I put a CA/Browser Forum ballot
> > forward a
> > > while ago to try to clarify it was not acceptable, but it did not pass
> as
> > > several CAs felt it was not only acceptable but is needed and
> desirable.
> > >
> > > If Mozilla (or another browser) puts forward a policy on this, I'm
> happy
> > to
> > > update certlint to reflect the poicy.
> >
>
>
> > Using the example provided of
> > https://crt.sh/?id=294808610&opt=zlint,cablint, the error to which we
> > were addressing is, “ERROR: Characters in labels of DNSNames MUST be
> > alphanumeric, - , _ or *”. RFC 5280 states that the SAN field can
> contain a
> > dnsName but it must be in the IA5String format.  IA5String is defined as
> > the first 128 characters in the ASCII alphabet.  Right now as this is
> > defined, it does not include international variance of ISO 646.  Should
> we
> > revisit this issue to clarify if international characters should be
> > included?  GoDaddy would be in support of adding this clarification.
>
>
> That error is coming from zlint and appears, from my reading, to be a bug
> in zlint.  The DNSName entries in the SAN in that certificate only contain
> allowable characters.  The commonName attribute value in the Subject does
> have characters that are not allowed in the DNSName entry, but commonName
> is allowed to be a utf8string, which allows these characters.  Further the
> commonName contains a fully qualified domain name that also appears in the
> SAN, so that BR requirement is met.
>
> The challenge in this case is that the BRs do not specify the required
> encoding of domain names.  This doesn't really matter when handling pre-IDN
> domain names, but with Internationalized Domain Names (IDNs), encoding does
> need to be specified.  Until Mozil