Re: Request to Include certSIGN Root CA G2 certificate

2020-05-08 Thread Wayne Thayer via dev-security-policy 
The ETSI audit attestation statement referenced by Ben [1] lists 6
non-conformities that were to be corrected within 3 months of the onsite
audit that occurred on 2020-02-10 until 2020-02-14:

Findings with regard to ETSI EN 319 401:
-REQ-7.8-06–Documentation shall be improved

Findings with regard to ETSI EN 319 411-1:
-REG-6.3.1-01–Implementation shall be improved
-GEN-6.5.1-04-Implementation shall be improved

Findings with regard to ETSI EN 319 411-2:
-SDP-6.5.1-02 -Implementation shall be improved
-GEN-6.6.1-05–Documentation shall be improved
-CSS-6.3.10-13–Documentation shall be improved

I'm particularly concerned about GEN-6.5.1-04: The CA key pair used for
signing certificates shall be created under, at least, dual control.

I'd like to see an explanation of these non-conformities and the
remediation from certSIGN, and confirmation from LSTI that they have been
fixed.

- Wayne

[1] https://bug1632406.bmoattachments.org/attachment.cgi?id=9142635

On Wed, May 6, 2020 at 4:59 PM Ben Wilson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> This request is for inclusion of the certSIGN Root CA G2 certificate and to
> turn on the Websites trust bit and for EV treatment.
>
>
> The request is documented in Bugzilla and in the CCADB as follows:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1403453
>
>
> https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=0403
>
> (Summary of info gathered and verified, URLs for test websites, etc.)
>
>
>
> * certSIGN’s BR Self Assessment is here:
>
> https://bugzilla.mozilla.org/attachment.cgi?id=9052673
>
> The Certsign document repository can be found here:
>
> https://www.certsign.ro/en/certsign-documents/policies-procedures
>
> * Root Certificate Locations:
>
> http://crl.certsign.ro/certsign-rootg2.crt
>
> http://registru.certsign.ro/certcrl/certsign-rootg2.crt
>
> http://www.certsign.ro/certcrl/certsign-rootg2.crt
>
>
> https://crt.sh/?q=657CFE2FA73FAA38462571F332A2363A46FCE7020951710702CDFBB6EEDA3305
>
>
> https://censys.io/certificates/657cfe2fa73faa38462571f332a2363a46fce7020951710702cdfbb6eeda3305/pem
>
>
> * EV Policy OID:   2.23.140.1.1
>
> * CRL URL: http://crl.certsign.ro/certsign-rootg2.crl
>
> * OCSP URL: http://ocsp.certsign.ro
>
>
>
> * Audit: See https://bugzilla.mozilla.org/attachment.cgi?id=9142635 (
>
> http://lsti-certification.fr/images/LSTI_Audit_Atttestation_Letter_1612-163_V10_Certsign_S.pdf
> )
> which shows that a recent annual audit was performed on the certSIGN Root
> CA G2 by LSTI Group according to ETSI EN 319 411-2, V2.2.2 (2018-04)”,
> “ETSI EN 319 411-1, V1.2.2 (2018-04)” and “ETSI EN 319 401, V2.2.1
> (2018-04)” as well as the CA/Browser Forum’s “EV SSL Certificate
> Guidelines, version 1.7.1” and “Baseline Requirements, version 1.6.7”
> considering the requirements of the “ETSI EN 319 403, V2.2.2 (2015-08)” for
> the Trust Service Provider Conformity Assessment.
>
>
> * CP/CPS Review
>
> Ryan Sleevi conducted a preliminary review the PKI Disclosure Statement and
> CPS - https://bugzilla.mozilla.org/show_bug.cgi?id=1403453#c13
>
> I followed up, and now Comment #24 in Bugzilla shows the latest responses
> from Certsign - https://bugzilla.mozilla.org/show_bug.cgi?id=1403453#c24
>
>
>
> This begins the 3-week comment period for this request.
>
> I will greatly appreciate your thoughtful and constructive feedback on the
> acceptance of this root into the Mozilla CA program.
>
> Thanks,
> Ben
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Mozilla's Expectations for OCSP Incident Reporting

2020-05-08 Thread Wayne Thayer via dev-security-policy 
It was recently reported [1] that IdenTrust experienced a multi-day OCSP
outage about two weeks ago. Other recent OCSP issues have resulted in
incident reports [3][4], so I am concerned that IdenTrust didn't report
this, and I created a bug [5] to ensure that we track the issue (assuming
the report of an extended outage is accurate).

I also created an issue [6] suggesting that Mozilla clarify expectations
for reporting CRL and OCSP outages. These services are notoriously
unreliable and I doubt that a constant barrage of reports for brief outages
would be manageable. I believe that Mozilla does expect CAs to report
"significant" outages, but there is currently no guidance to help CAs
determine when they should file a report.

- Wayne

[1]
https://www.feistyduck.com/bulletproof-tls-newsletter/issue_64_gcc_code_analyzer_finds_bug_in_openssl
[2]
https://community.letsencrypt.org/t/identrust-ocsp-producing-errors/120677
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1622505
[4] https://bugzilla.mozilla.org/show_bug.cgi?id=1630040
[5] https://bugzilla.mozilla.org/show_bug.cgi?id=1636544
[6] https://github.com/mozilla/pkipolicy/issues/214
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: DRAFT May 2020 CA Communication/Survey

2020-05-08 Thread Kathleen Wilson via dev-security-policy 

On 5/7/20 11:33 AM, Kathleen Wilson wrote:

 > I have drafted a potential CA Communication and survey, and will greatly
 > appreciate your input on it.
 >
 > https://wiki.mozilla.org/CA/Communications#May_2020_CA_Communication
 >
 > Direct link to read-only copy of the draft survey:
 > 
https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a051J42AUSv 




I believe that all of the questions/concerns have been resolved, so I 
will open up the survey now, and prepare to send the email to the CAs 
about it.



Thanks,
Kathleen



The email has been sent to the Primary POC (cc'd the CA's email alias) 
for each CA with a root cert currently in Mozilla's root store.


Blog post:
https://blog.mozilla.org/security/2020/05/08/may-2020-ca-communication/

Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy