date:20201007

Re: PEM of root certs in Mozilla's root store

2020-10-07 Thread Kathleen Wilson via dev-security-policy


On 10/7/20 9:30 AM, Matthew Hardeman wrote:

Would it be unreasonable to also consider publishing, as an "easy to use"
list, that set of only those anchors which are currently trusted in the
program and for which no exceptional in-product policy enforcement is
imposed?  (TLD constraints, provisional distrusts, etc.)

The lazier implementers are going to take the raw set of anchors and none
of the policy associated, and so the default assumption should be that none
of the enhanced policy enforcements from nss or firefox would get copied
along.




These reports are automatically generated by CCADB (Salesforce), so I 
cannot filter out all of the exceptions that may occur or that are 
currently listed in https://wiki.mozilla.org/CA/Additional_Trust_Changes


I could add a report that filters out root certificates that are 
name-constrained. However, there is currently only one name-constrained 
included root cert, and this option ended up not being very popular 
among CAs requesting root inclusion.


Also note that in Mozilla's program being name-constrained does not 
release the CA from following the same rules that all of the other CAs 
have to follow.


Therefore, I'm not currently inclined to add another report to filter 
out name-constrained root certs (currently just the one root cert).


Thanks,
Kathleen



___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: PEM of root certs in Mozilla's root store

2020-10-07 Thread Kathleen Wilson via dev-security-policy


On 10/6/20 7:09 PM, Ryan Sleevi wrote:

It seems like there should be a link to
https://wiki.mozilla.org/CA/FAQ#Can_I_use_Mozilla.27s_set_of_CA_certificates.3F
there



I added that link to https://wiki.mozilla.org/CA/Included_Certificates

Thanks,
Kathleen

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: PEM of root certs in Mozilla's root store

2020-10-07 Thread Jakob Bohm via dev-security-policy


On 2020-10-06 23:47, Kathleen Wilson wrote:

All,

I've been asked to publish Mozilla's root store in a way that is easy to 
consume by downstreams, so I have added the following to 
https://wiki.mozilla.org/CA/Included_Certificates


CCADB Data Usage Terms


PEM of Root Certificates in Mozilla's Root Store with the Websites 
(TLS/SSL) Trust Bit Enabled (CSV)
 



PEM of Root Certificates in Mozilla's Root Store with the Email (S/MIME) 
Trust Bit Enabled (CSV)
 




Please let me know if you have feedback or recommendations about this.



Please note that at least the first CSV download is not really a CSV 
file, as there are line feeds within each "PEM" value, and only one 
column.  It would probably be more useful as a simple concatenated PEM 
file, as used by various software packages as a root store input format.


I have also noted that at least one downstream root store (Debian) takes
all Mozilla-trusted certificates and labels them as simply 
"mozilla/cert-public-name", even though more useful naming can be 
extracted from the last (most complete) report, after finding a non-gui 
tool that can actually parse CSV files with embedded newlines in string 
values.





Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: PEM of root certs in Mozilla's root store

2020-10-07 Thread Matthew Hardeman via dev-security-policy

Would it be unreasonable to also consider publishing, as an "easy to use"
list, that set of only those anchors which are currently trusted in the
program and for which no exceptional in-product policy enforcement is
imposed?  (TLD constraints, provisional distrusts, etc.)

The lazier implementers are going to take the raw set of anchors and none
of the policy associated, and so the default assumption should be that none
of the enhanced policy enforcements from nss or firefox would get copied
along.

On Tue, Oct 6, 2020 at 9:09 PM Ryan Sleevi via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> It seems like there should be a link to
>
> https://wiki.mozilla.org/CA/FAQ#Can_I_use_Mozilla.27s_set_of_CA_certificates.3F
> there
>
> I realize there’s a tension between making this easily consumable, and the
> fact that “easily consumed” doesn’t and can’t relieve an organization of
> having to be responsible and being aware of the issues and discussions here
> about protecting their users.
>
> I do worry this is going to encourage one of the things that can make it
> more difficult for Mozilla to protect Mozilla users, which is when vendors
> blindly using/build a PEM file and bake it into a device they never update.
> We know from countless CA incidents that when vendors do that, and aren’t
> using these for “the web”, that it makes it more difficult for site
> operators to replace these certificates. It also makes it harder for
> Mozilla to fix bugs in implementations or policies and otherwise take
> actions that minimize any disruption for users. At the same time, Mozilla
> running a public and transparent root program does indeed mean it’s better
> for users than these vendors doing nothing at all, which is what would
> likely happen if there were too many roadblocks.
>
> While personally, I want to believe it’s “not ideal” to make it so easy, I
> realize the reality is plenty of folks already repackage the Mozilla store
> for just this reason, totally ignoring the above link, and make it easy for
> others to pull in. At least this way, you could reiterate that this list
> doesn’t really absolve these vendors of having to keep users up to date and
> protected and be able to update their root stores for their products, by
> linking to
>
> https://wiki.mozilla.org/CA/FAQ#Can_I_use_Mozilla.27s_set_of_CA_certificates.3F
>
> On Tue, Oct 6, 2020 at 5:47 PM Kathleen Wilson via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > All,
> >
> > I've been asked to publish Mozilla's root store in a way that is easy to
> > consume by downstreams, so I have added the following to
> > https://wiki.mozilla.org/CA/Included_Certificates
> >
> > CCADB Data Usage Terms
> > 
> >
> > PEM of Root Certificates in Mozilla's Root Store with the Websites
> > (TLS/SSL) Trust Bit Enabled (CSV)
> > <
> >
> https://ccadb-public.secure.force.com/mozilla/IncludedRootsPEM?TrustBitsInclude=Websites
> > >
> >
> > PEM of Root Certificates in Mozilla's Root Store with the Email (S/MIME)
> > Trust Bit Enabled (CSV)
> > <
> >
> https://ccadb-public.secure.force.com/mozilla/IncludedRootsPEM?TrustBitsInclude=Email
> > >
> >
> >
> > Please let me know if you have feedback or recommendations about this.
> >
> > Thanks,
> > Kathleen
> > ___
> > dev-security-policy mailing list
> > dev-security-policy@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-security-policy
> >
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: PEM of root certs in Mozilla's root store

Re: PEM of root certs in Mozilla's root store

Re: PEM of root certs in Mozilla's root store

Re: PEM of root certs in Mozilla's root store

4 matches

Site Navigation

Mail list logo

Footer information