Re: Summary of Camerfirma's Compliance Issues

[Filippo Valsorda via dev-security-policy]

2021-01-19 18:01 GMT+01:00 Andrew Ayer via dev-security-policy 
:
> It's troubling that even at this stage, Camerfirma still doesn't seem
> to grasp the seriousness of their compliance problems. Today,
> they are arguing that there was no security threat from a certificate
> issued for a domain without authorization because the subdomain
> in the certificate "does not exist": 
> https://bugzilla.mozilla.org/show_bug.cgi?id=1672409#c8

In my personal capacity, I want to stress how worrying this response by 
Camerafirma is. Arguing that a certificate doesn't present any risk if it's 
issued for a name that doesn't exist in DNS betrays a deep misunderstanding of 
the web platform, which the WebPKI serves. (For example, an attacker in a 
privileged network position can fake a DNS response for that domain, and use it 
to set Secure cookies on the whole site.)
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Policy 2.7.1: MRSP Issue #139: Audits required even if not issuing

[Ben Wilson via dev-security-policy]

I've updated this subject line for consistency with the other issues.

On Tue, Oct 6, 2020 at 2:31 PM Ben Wilson  wrote:

> Here is the first issue for discussion here on the m.d.s.p. list relative
> to the next version of the Mozilla Root Store Policy (v.2.7.1).
>
> #139  - Audits are
> required even if no longer issuing - Clarify that audits are required until
> the CA certificate is revoked, expired, or removed. Related to Issue #153
> .
>
> Seven (7) comments are listed so far for this issue in GitHub, including
> discussion re: whether auditors can provide reports when a CA isn't being
> used to issue certificates.
>
> I made an initial attempt to address this with some language in line 272
> in the following commit in my GitHub repository -
> https://github.com/BenWilson-Mozilla/pkipolicy/commit/888dc139d196b02707d228583ac20564ddb27b35
> (related changes also appear below in that commit).
>
> The suggested language would amend the first paragraph of section 3.1.3 of
> the MRSP to read, "Full-surveillance period-of-time audits MUST be
> conducted and updated audit information provided no less frequently than
> *annually* from the time of CA key pair generation until the CA
> certificate is no longer trusted by Mozilla's root store or until all
> copies of the CA private key have been completely destroyed, as evidenced
> by a Qualified Auditor's key destruction report, whichever occurs sooner.
> Successive period-of-time audits MUST be contiguous (no gaps)."
>
> We will need to discuss scope and timing for implementing this requirement.
>
> Thanks in advance for your contributions and suggestions.
>
> Ben
>
>
>
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Policy 2.7.1: MRSP Issue #147 - Require EV audits for certificates capable of issuing EV certificates

[Ben Wilson via dev-security-policy]

I've updated the subject line for this thread so that it is consistent with
the other issues.  Also, as an update to what we are considering to address
this issue, we are looking at pointing to existing language here:
https://wiki.mozilla.org/CA/EV_Processing_for_CAs#EV_TLS_Capable.

On Thu, Nov 12, 2020 at 11:23 AM Ben Wilson  wrote:

>
> On Thu, Nov 12, 2020 at 2:03 AM Dimitris Zacharopoulos via
> dev-security-policy  wrote:
>
>> I see that this is related to
>> https://github.com/mozilla/pkipolicy/issues/152, so I guess Mozilla
>> Firefox does not enable "EV Treatment" if an Intermediate CA Certificate
>> does not assert the anyPolicy or the CA's EV policy OID, including the
>> CA/B Forum EV OID, regardless of what the end-entity certificate asserts.
>>
>> That's correct.
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy