Re: Request to Include 4 Microsoft Root CAs
Hi All, This is Jason from the Microsoft PKI Services team. I’d like to add some context to the note about the certs issued from the Microsoft RSA Root Certificate Authority 2017. As you can see, these were all issued to a domain registered to Microsoft. While these clearly violate the Subject profile requirements in Section 7 of the BRs, nearly all the certs listed meet the requirements for Test Certificate as listed in Section 1.6.1 of the BRs, including the presence of the “Test” OID (2.23.140.2.1) in a critical extension. A few of the test issuances did not meet the requirements of 1.6.1 and we have adjusted our policy enforcement mechanisms accordingly as a result. That said, we have created an incident around this for purposes of reporting to our auditors. Please feel free to let me know if you have questions. Thanks, Jason Cooper ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: P-521 Certificates
I would say that the problem here would be that a child certificate can't use a higher cryptography level than the issuer, this is agains good practices and, AFAIK, agains the Webtrust audit criteria. Jason ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Comodo issued a certificate for an extension
Still no response from COMODO CA, that's interesting, but why? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Comodo Legal Phishing attack against ISRG?
Is there still anything to be done for this one here? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: ISRG Root Inclusion Request
Kathleen, what is the progress here? Are any queries left over? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: SSL Certs for Malicious Websites
On Wednesday, May 18, 2016 at 6:22:39 PM UTC+3, Peter Bowen wrote: > On Wed, May 18, 2016 at 7:16 AM, Gervase Markham wrote: > > I think the bullet as a whole could mean that we reserve the right to > > not include CAs who happily issue certs to "www.paypalpayments.com" to > > just anyone without any checks or High Risk string list or anything. > > Such a cert, unless issued to Paypal, Inc., is clearly to be used for > > fraud, IMO, and a CA is negligent in issuing it given that it's not hard > > to flag for manual review any cert containing the names of major banks > > and payment companies. > > Playing Devil's Advocate for a moment, if paypalpayments.com is a > valid registered domain and is owned by A Better World LLC (a Delaware > Corporation), why should they not be able to get a certificate for > their domain? > > How far do you take it? According to > http://brandirectory.com/league_tables/table/banking-500-2014, top > bank brands include "TD", "UBS", and "ING", should CAs block on > "outdoor.sh", "nightclubs.io", and "exceeding.ly"? > > Why should Hong Kong and Shanghai Banking Corporation be considered to > have claim to HSBC than the Humane Society of Broward County, the > House Small Business Committee, or Hobe Sound Bible College? > > Given that there is already the ICANN UDRP, shouldn't that be the > venue to decide who is authorized to have what domain names? Should > CAs be responsible for making calls on who is authorized for a domain > name? > > Thanks, > Peter I will also add a classical example that used to exist there: gmail.de ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy