Re: CSV Format of CA Program reports
On 17/05/16 07:09, Miskovic Peter wrote: Hi Rob, there are two intermediate certification authorities on your missing list (CA Disig I2 Certification Service and CA Disig I1 Certification Service) which are no more capable to issue a new SSL certificate and which are no more directly chain to a certificate included in Mozilla's CA Certificate Program. According to the Mozilla CA Certificate Inclusion Policy (Version 2.2): "All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to a certificate included in Mozilla's CA Certificate Program, MUST be operated in accordance with Mozilla's CA Certificate Policy and MUST either be technically constrained or be publicly disclosed and audited." The root for that intermediates (CA Disig) was removed from Mozilla's CA Certificate Program (see https://bugzilla.mozilla.org/show_bug.cgi?id=1247711) due the expiration. Peter, thanks for pointing that out. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: CSV Format of CA Program reports
Hi Rob, there are two intermediate certification authorities on your missing list (CA Disig I2 Certification Service and CA Disig I1 Certification Service) which are no more capable to issue a new SSL certificate and which are no more directly chain to a certificate included in Mozilla's CA Certificate Program. According to the Mozilla CA Certificate Inclusion Policy (Version 2.2): "All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to a certificate included in Mozilla's CA Certificate Program, MUST be operated in accordance with Mozilla's CA Certificate Policy and MUST either be technically constrained or be publicly disclosed and audited." The root for that intermediates (CA Disig) was removed from Mozilla's CA Certificate Program (see https://bugzilla.mozilla.org/show_bug.cgi?id=1247711) due the expiration. Regards Peter Miskovic - Peter Miskovic CA Chief Operating Officer Disig, a.s., Zahradnicka 151, 821 08 Bratislava 2, Slovakia phone +421 2 20 85 01 50 peter.misko...@disig.sk<mailto:peter.misko...@disig.sk> www.disig.sk<http://www.disig.sk/> -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+peter.miskovic=disig...@lists.mozilla.org] On Behalf Of Rob Stradling Sent: Tuesday, May 17, 2016 12:31 AM To: Kathleen Wilson <kwil...@mozilla.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: CSV Format of CA Program reports Thanks Kathleen. PublicAllIntermediateCertsCSV is missing quite a few entries compared to my own CSV export of the "All Public Intermediate Certs" report. I've reviewed the differences. It looks like you're now omitting incomplete records and records for intermediates that didn't actually need to be disclosed. I presume this is deliberate change, and I think it makes sense. In case anyone's interested, here's a list of the currently disclosed intermediates that aren't in PublicAllIntermediateCertsCSV: https://docs.google.com/spreadsheets/d/1nd2ie-JsS2CxMOX5nBGQgQEelhmkq-OcTKkvCe4U42Q/edit?usp=sharing One oddity: Some intermediates (e.g. https://crt.sh/?id=17014784) contain the EKU extension with the MS SGC and/or NS Step-Up OIDs and _not_ id-kp-serverAuthentication. The policy says that these don't need to be disclosed, but Firefox does trust them as issuers of server authentication certs. On 16/05/16 19:27, Kathleen Wilson wrote: > The new reports are at the following new links. A couple columns were added: > 'Parent Name', 'SHA-256 Fingerprint'. > > https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCert > s > https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCert > sCSV > > I have also updated the links in wiki page. > https://wiki.mozilla.org/CA:SubordinateCAcerts > > Thanks, > Kathleen -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: CSV Format of CA Program reports
Thanks Kathleen. PublicAllIntermediateCertsCSV is missing quite a few entries compared to my own CSV export of the "All Public Intermediate Certs" report. I've reviewed the differences. It looks like you're now omitting incomplete records and records for intermediates that didn't actually need to be disclosed. I presume this is deliberate change, and I think it makes sense. In case anyone's interested, here's a list of the currently disclosed intermediates that aren't in PublicAllIntermediateCertsCSV: https://docs.google.com/spreadsheets/d/1nd2ie-JsS2CxMOX5nBGQgQEelhmkq-OcTKkvCe4U42Q/edit?usp=sharing One oddity: Some intermediates (e.g. https://crt.sh/?id=17014784) contain the EKU extension with the MS SGC and/or NS Step-Up OIDs and _not_ id-kp-serverAuthentication. The policy says that these don't need to be disclosed, but Firefox does trust them as issuers of server authentication certs. On 16/05/16 19:27, Kathleen Wilson wrote: The new reports are at the following new links. A couple columns were added: 'Parent Name', 'SHA-256 Fingerprint'. https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCerts https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCertsCSV I have also updated the links in wiki page. https://wiki.mozilla.org/CA:SubordinateCAcerts Thanks, Kathleen -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: CSV Format of CA Program reports
On Monday, May 16, 2016 at 11:27:21 AM UTC-7, Kathleen Wilson wrote: > The new reports are at the following new links. A couple columns were added: > 'Parent Name', 'SHA-256 Fingerprint'. > > https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCerts > https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCertsCSV > > I have also updated the links in wiki page. > https://wiki.mozilla.org/CA:SubordinateCAcerts > We've added another report that is the CSV report plus the PEM data. https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCertsWithPEMCSV The link is also available from the wiki page. Note that all 3 of these reports will be generated once every 24 hours as a batch process. Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: CSV Format of CA Program reports
The new reports are at the following new links. A couple columns were added: 'Parent Name', 'SHA-256 Fingerprint'. https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCerts https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCertsCSV I have also updated the links in wiki page. https://wiki.mozilla.org/CA:SubordinateCAcerts Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: CSV Format of CA Program reports
On Thursday, May 12, 2016 at 10:05:21 AM UTC-7, Kathleen Wilson wrote: > I apologize for the delay. > > There will be new links, and we expect to have the new reports available > today. > > I will update the links on the wiki page, and provide notice in this > discussion as soon as the new reports are available. > > Thanks, > Kathleen I apologize again for the delay. We are setting up a test db to perform load testing, so we are now targeting to have the new reports ready by Monday. Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: CSV Format of CA Program reports
On 11/05/16 12:42, Rob Stradling wrote: On 10/05/16 23:37, Kathleen Wilson wrote: Is it really the CPU limit that is hit, and not some other limit? I am curious because the CPU time limit usually has much more room than other governor limits, so you would usually hit some other limit before this one, unless you accidentally make some silly cubic time algorithm. Indeed, the problem was caused by some recursive logic in regards to the CA hierarchies and trying to indicate relationships in the report. I've told our consultant that the full reports of intermediate certs just need to list the intermediate cert record data, and not to worry about grouping them by CA, Root, Parent intermediate cert, etc. Kathleen, please let us know when it's fixed. Thanks. Kathleen, I no longer see the "Authorization Required" message when attempting to download the CSV file [1]. Instead, I get a CSV file that contains just one line, which consists of the column headings. [1] https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCertsCSVFormat -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: CSV Format of CA Program reports
On 10/05/16 23:37, Kathleen Wilson wrote: Is it really the CPU limit that is hit, and not some other limit? I am curious because the CPU time limit usually has much more room than other governor limits, so you would usually hit some other limit before this one, unless you accidentally make some silly cubic time algorithm. Indeed, the problem was caused by some recursive logic in regards to the CA hierarchies and trying to indicate relationships in the report. I've told our consultant that the full reports of intermediate certs just need to list the intermediate cert record data, and not to worry about grouping them by CA, Root, Parent intermediate cert, etc. Kathleen, please let us know when it's fixed. Thanks. Temporary "fix" for https://crt.sh/mozilla-disclosures: I just exported the "All Public Intermediate Certs" report from Salesforce as CSV. I don't see any way to automate that CSV export, so it won't auto-update. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: CSV Format of CA Program reports
Rob, thanks for letting me know. The following two reports are now exceeding Salesforce' CPU limits, so it will take some time for us to figure out a solution. I will provide an update as soon as possible. https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCerts https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCertsCSVFormat The individual CA reports are still working. Those are in the table in https://wiki.mozilla.org/CA:SubordinateCAcerts I apologize for this inconvenience. Our Salesforce consultant is looking for a solution. Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: CSV Format of CA Program reports
On 02/02/16 22:38, Kathleen Wilson wrote: I've updated the following wiki pages to add links to the CSV version of the reports. https://wiki.mozilla.org/CA:IncludedCAs (added CSV of upcoming inclusions report) https://wiki.mozilla.org/CA:PendingCAs https://wiki.mozilla.org/CA:RemovedCAcerts These wiki pages also have the CSV version of the reports: https://wiki.mozilla.org/CA:SubordinateCAcerts https://wiki.mozilla.org/CA:RevokedSubCAcerts (remember that the data for the SubCAs is still incomplete) Kathleen, For some reason, https://mozillacaprogram.secure.force.com now requires a username/password. Was this an intentional change? So, when I attempt to download the disclosed [1] and revoked [2] CSV files [1], I get a webpage that says: "Authorization Required You must first log in or register before accessing this page. If you have forgotten your password, click Forgot Password to reset it." Consequently, https://crt.sh/mozilla-disclosures currently shows that zero CA certificates have been disclosed to Mozilla. :-( [1] https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCertsCSVFormat [2] https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCertsRevokedCSVFormat -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy