Re: Audit Reminder Email Summary

2020-06-18 Thread Kathleen Wilson via dev-security-policy 

 Forwarded Message 
Subject: Summary of June 2020 Audit Reminder Emails
Date: Tue, 16 Jun 2020 19:00:31 + (GMT)


Mozilla: Audit Reminder
CA Owner: Shanghai Electronic Certification Authority Co., Ltd. (SHECA)
Root Certificates:
   UCA Extended Validation Root
   UCA Global G2 Root
Standard Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=230630

Standard Audit Period End Date: 2019-04-30
BR Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=230631

BR Audit Period End Date: 2019-04-30
EV Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=230632

EV Audit Period End Date: 2019-04-30
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Atos
Root Certificates:
   Atos TrustedRoot 2011**

** Audit Case in the Common CA Database is under review for this root 
certificate.


Standard Audit: 
https://www.mydqs.com/kunden/kundendatenbank.html?aoemydqs%5BrequestId%5D=europev2-DQS-D4601883F55A11E9B50B005056A04F41-_v2%5BdownloadKey%5D=ebe97140cee29a7c498ca32f1d76cc2143a5a383%5Baction%5D=downloadDocument=f86244b64421ebaad940

Standard Audit Period End Date: 2019-04-28
BR Audit: 
https://www.mydqs.com/kunden/kundendatenbank.html?aoemydqs%5BrequestId%5D=europev2-DQS-D4601883F55A11E9B50B005056A04F41-_v2%5BdownloadKey%5D=ebe97140cee29a7c498ca32f1d76cc2143a5a383%5Baction%5D=downloadDocument=f86244b64421ebaad940

BR Audit Period End Date: 2019-04-28
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Sectigo
Root Certificates:
   COMODO RSA Certification Authority
   USERTrust ECC Certification Authority
   AAA Certificate Services
   AddTrust Class 1 CA Root
   AddTrust External CA Root
   COMODO Certification Authority
   COMODO ECC Certification Authority
   USERTrust RSA Certification Authority
Standard Audit: 
https://bug1472993.bmoattachments.org/attachment.cgi?id=9078178

Standard Audit Period End Date: 2019-03-31
BR Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=231163

BR Audit Period End Date: 2019-03-31
BR Audit:
BR Audit Period End Date:
EV Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=231164

EV Audit Period End Date: 2019-03-31
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert)
Root Certificates:
   EC-ACC
Standard Audit: 
https://www.aenor.com/Certificacion_Documentos/eiDas/2019%20AENOR%20Anexo%202%20ETSI%20319%20411-2%20PSC-CAOC_v4.pdf

Standard Audit Period End Date: 2019-03-28
BR Audit: 
https://www.aenor.com/Certificacion_Documentos/eiDas/2019%20AENOR%20Anexo%202%20ETSI%20319%20411-1%20PSC-CAOC_v4.pdf

BR Audit Period End Date: 2019-03-28
CA Comments: null



Mozilla: Audit Reminder
CA Owner: GlobalSign
Root Certificates:
   GlobalSign
   GlobalSign
   GlobalSign
   GlobalSign Root CA
Standard Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=231566

Standard Audit Period End Date: 2019-03-31
BR Audit: https://bugzilla.mozilla.org/attachment.cgi?id=9112465
BR Audit Period End Date: 2019-03-31
EV Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=231568

EV Audit Period End Date: 2019-03-31
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Government of Spain, Autoritat de Certificació de la Comunitat 
Valenciana (ACCV)

Root Certificates:
   ACCVRAIZ1
Standard Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=232656

Standard Audit Period End Date: 2019-04-30
BR Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=232657

BR Audit Period End Date: 2019-04-30
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Government of Taiwan, Government Root Certification Authority 
(GRCA)

Root Certificates:
   Government Root Certification Authority - Taiwan
Standard Audit: 
http://grca.nat.gov.tw/download/Audit/GRCA_GCA_XCA_WTCA_Audit_Report_2019.pdf

Standard Audit Period End Date: 2019-03-31
BR Audit: 
http://grca.nat.gov.tw/download/Audit/GRCA_GCA_BR_Audit_Report_2019.pdf

BR Audit Period End Date: 2019-03-31
CA Comments: null



Mozilla: Audit Reminder
CA Owner: HARICA
Root Certificates:
   Hellenic Academic and Research Institutions RootCA 2011
   Hellenic Academic and Research Institutions ECC RootCA 2015
   Hellenic Academic and Research Institutions RootCA 2015
Standard Audit: 
https://repo.harica.gr/documents/HARICA-AUDIT_ATTESTATION_W_ANNEX_290617-7-R2-AA-text.pdf

Standard Audit Period End Date: 2019-03-29
BR Audit: 
https://repo.harica.gr/documents/HARICA-AUDIT_ATTESTATION_W_ANNEX_290617-7-R2-AA-text.pdf

BR Audit Period End Date: 2019-03-29
CA Comments: null



Mozilla: Audit Reminder
CA Owner: Telia Company (formerly TeliaSonera)
Root Certificates:
   Sonera Class2 CA
   TeliaSonera Root CA v1
Standard Audit: 
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=231161

Standard Audit

Re: crt.sh: CA Issuers monitor (was Re: CA Issuer AIA URL content types)

2020-06-18 Thread Rob Stradling via dev-security-policy 
I've just added a "Configure for WebPKI" shortcut to the "Trust Filter", which 
simply links to https://crt.sh/ca-issuers?webpki.

(Ditto for https://crt.sh/ocsp-responders?webpki).


From: dev-security-policy  on 
behalf of Jeremy Rowley via dev-security-policy 

Sent: 17 June 2020 23:13
To: r...@sleevi.com 
Cc: Mozilla 
Subject: Re: crt.sh: CA Issuers monitor (was Re: CA Issuer AIA URL content 
types)

CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.


Doh - how did I miss that?! Thanks Ryan

From: Ryan Sleevi 
Sent: Wednesday, June 17, 2020 4:11:46 PM
To: Jeremy Rowley 
Cc: Mozilla 
Subject: Re: crt.sh: CA Issuers monitor (was Re: CA Issuer AIA URL content 
types)

It's right there under "Trust Filter" . Very top of the page ;)

e.g. 
https://crt.sh/ca-issuers?trustedExclude=expired%2Conecrl=Mozilla=Server+Authentication=v=2

On Wed, Jun 17, 2020 at 5:18 PM Jeremy Rowley via dev-security-policy 
mailto:dev-security-policy@lists.mozilla.org>>
 wrote:
Is there a way to filter out the revoked and non-TLS/SMIME ICAs?

-Original Message-
From: dev-security-policy 
mailto:dev-security-policy-boun...@lists.mozilla.org>>
 On Behalf Of Rob Stradling via dev-security-policy
Sent: Wednesday, June 17, 2020 5:07 AM
To: dev-security-policy 
mailto:dev-security-policy@lists.mozilla.org>>
Subject: crt.sh: CA Issuers monitor (was Re: CA Issuer AIA URL content types)

Inspired by last month's email threads and Bugzilla issues relating to CA 
Issuers misconfigurations, I've just finished adding a new feature to crt.sh...

https://crt.sh/ca-issuers

Sadly, this highlights plenty of misconfigurations and other problems: PEM 
instead of DER, certs for the wrong CAs, wrong Content-Types, 404s, 
non-existent domain names, connection timeouts.  I encourage CAs to take a look 
and see what they can fix.  (Also, comments welcome :-) ).

While I'm here, here's a quick reminder of some other crt.sh features relating 
to CA compliance issues:
https://crt.sh/ocsp-responders
https://crt.sh/test-websites
https://crt.sh/mozilla-disclosures


From: dev-security-policy 
mailto:dev-security-policy-boun...@lists.mozilla.org>>
 on behalf of Ryan Sleevi via dev-security-policy 
mailto:dev-security-policy@lists.mozilla.org>>
Sent: 22 May 2020 21:52
To: Hanno Böck mailto:ha...@hboeck.de>>
Cc: r...@sleevi.com 
mailto:r...@sleevi.com>>; 
dev-security-policy@lists.mozilla.org
 
mailto:dev-security-policy@lists.mozilla.org>>
Subject: Re: CA Issuer AIA URL content types

CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.


I believe you've still implied, even in this reply, that this is something 
serious or important. I see no reason to believe that is the case, and I wasn't 
sure if there was anything more than a "Here's a SHOULD and here's people not 
doing it," which doesn't seem that useful to me.

On Fri, May 22, 2020 at 2:52 PM Hanno Böck 
mailto:ha...@hboeck.de>> wrote:

> Hi,
>
> On Fri, 22 May 2020 09:55:22 -0400
> Ryan Sleevi via dev-security-policy
> mailto:dev-security-policy@lists.mozilla.org>>
>  wrote:
>
> > Could you please cite more specifically what you believe is wrong
> > here? This is only a SHOULD level requirement.
>
> I think I said that more or less:
>
> > > I'm not going to file individual reports for the CAs. Based on
> > > previous threads I don't believe these are strictly speaking rule
> > > violations.
>
> I'm not claiming this is a severe issue or anything people should be
> worried about.
> It's merely that while analyzing some stuff I observed that AIA fields
> aren't as reliable as one might want (see also previous mails) and the
> mime types are one more observation I made where things aren't what
> they probably SHOULD be.
> I thought I'd share this observation with the community.
>
> --
> Hanno Böck
> https://hboeck.de/
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org