Re: New SHA-1 certificates issued in 2016

On Fri, 4 Nov 2016 10:30:00 + Gervase Markham wrote: > We need to recall that currently, SHA-1 issuance is not banned > directly by Mozilla policy, but only by the BRs. And so we don't have > a route to object to certs not covered by the BRs. The March 2016 CA

Re: SHA-1 issuances in 2016 That Chain to Mozilla Roots

On Friday, November 4, 2016 at 10:36:13 AM UTC-7, Gervase Markham wrote: > Here is the spreadsheet I am using to track my analysis of the SHA-1 > issuances discovered in crt.sh: > > https://docs.google.com/spreadsheets/d/1s0zsDjkHkPpFPd9LCtaJDgra5hqmcHmRor_sHSLl5Yg/edit > > It includes notes

RE: Mozilla CT Policy

This is awesome. We're very excited to see Mozilla support CT. How about: 1) What version of logs should Mozilla accept (do they have to comply with the bis)? If they are compliant with the original spec, should they be accepted until a certain date when they must transition to the new bis? 2)

Re: Mozilla CT Policy

在 2016年11月4日星期五 UTC+8下午8:20:11，Gervase Markham写道： > CT is coming to Firefox. As part of that, Mozilla needs to have a set of > CT policies surrounding how that will work. Like our root inclusion > program, we intend to run our CT log inclusion program in an open and > transparent fashion, such

RE: Update on transition of the Verizon roots and issuance of SHA1 certificates

Thanks Peter for the questions. The answers are listed below: First, a couple of questions about DigiCert itself. The press release at https://thomabravo.com/2015/10/22/thoma-bravo-completes-acquisition-of-majority-stake-in-digicert/ says that Thoma Bravo acquired a majority stake in DigiCert

SHA-1 issuances in 2016 That Chain to Mozilla Roots

Here is the spreadsheet I am using to track my analysis of the SHA-1 issuances discovered in crt.sh: https://docs.google.com/spreadsheets/d/1s0zsDjkHkPpFPd9LCtaJDgra5hqmcHmRor_sHSLl5Yg/edit It includes notes about each incident and my determination of what to do. At the moment, bugs are open for

Re: Update on transition of the Verizon roots and issuance of SHA1 certificates

Hi Jeremy, Thanks for posting this. Mozilla had been concerned for some time about the level of BR compliance of the Verizon-controlled PKI and their seeming difficulties in bringing their many sub-CAs into compliance. When DigiCert approached us when researching the potential acquisition, they

Re: Mozilla CT Policy

On 04/11/2016 15:42, Hanno Böck wrote: On Fri, 4 Nov 2016 14:09:55 +0100 Jakob Bohm wrote: * How do we allow organization internal non-public CAs to not reveal their secret membership/server lists to public CT systems or otherwise run the (administratively and

Re: New SHA-1 certificates issued in 2016

On Friday, November 4, 2016 at 4:49:28 AM UTC-7, Gervase Markham wrote: > On 03/11/16 18:09, Andrew Ayer wrote: > > This is just as bad as signing an actual cert with SHA-1. > > Add: > https://bugzilla.mozilla.org/show_bug.cgi?id=1315225 (Symantec) > > Gerv I updated the bug to say that this

Re: Mozilla CT Policy

Well, these are logs. So: - Is it necessary to require that log items can't be modified after they have been created? (Or is that implied by the cryptography being used.) How about deleted? - Is is perhaps a good idea to require a certain minimum accuracy (or other characteristics, timestamps

Re: Mozilla CT Policy

On Fri, Nov 04, 2016 at 12:19:32PM +, Gervase Markham wrote: > > * Do we want to require a certain number of SCTs for certificates of > particular validity periods? What happens to the SCT requirements if a log is distrusted? Is the date of the distrust taking into account? Is that the same

Re: Mozilla CT Policy

On 4 November 2016 at 07:19, Gervase Markham wrote: > * How do we decide when to un-trust a log? What reasons are valid > reasons for doing so? Do we want different types of distrust for a log? That is, a "We don't trust you at all anymore" distrust vs a "We don't trust

Re: Mozilla CT Policy

On Fri, Nov 4, 2016 at 3:42 PM, Hanno Böck wrote: > > Isn't that already solved? > > Browsers already treat manually installed roots differently, e.g. > bypassing key pinning. Chrome's CT requirements don't apply to locally > installed roots. > > How about public technically

Re: Mozilla CT Policy

On Fri, 4 Nov 2016 14:09:55 +0100 Jakob Bohm wrote: > * How do we allow organization internal non-public CAs to not reveal > their secret membership/server lists to public CT systems or > otherwise run the (administratively and technically) expensive > processes required

Re: Mozilla CT Policy

Hi, Great to see Mozilla committing to CT. On Fri, 4 Nov 2016 12:19:32 + Gervase Markham wrote: > So, please add comments with additional _questions_ you think the > policy will need to address. What the answers should be is (for now) > off-topic. Some meta-thought: In

Mozilla CT Policy

CT is coming to Firefox. As part of that, Mozilla needs to have a set of CT policies surrounding how that will work. Like our root inclusion program, we intend to run our CT log inclusion program in an open and transparent fashion, such that the Internet community can see how it works and how

Re: New SHA-1 certificates issued in 2016

On 03/11/16 18:09, Andrew Ayer wrote: > This is just as bad as signing an actual cert with SHA-1. Add: https://bugzilla.mozilla.org/show_bug.cgi?id=1315225 (Symantec) Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

ENISA Draft technical guidelines on eIDAS implementation

For those wishing to contribute with comments/feedback, ENISA has updated Draft Guidelines for TSPs implementing eIDAS. https://www.enisa.europa.eu/topics/trust-services/guidelines/ Thank you, Dimitris Zacharopoulos. ___ dev-security-policy mailing

Re: New SHA-1 certificates issued in 2016

On 03/11/16 21:17, Jakob Bohm wrote: > Note that the GlobalSign SHA-1 intermediaries chain only to their old > SHA-1 root which is (I believe) not used for any SHA-256 certs, except > a cross-cert that signs their current SHA-256 root. Nevertheless, it is still in Mozilla's trust store. > So I

Re: Cerificate Concern about Cloudflare's DNS

Hi Gerhard, I realise you are upset with what Cloudflare has been doing, but having considered the matter, I think the bottom line is that the only reasonable position for Mozilla to take is "issuances which perform a valid domain control check are OK". We can't go policing the terms of service

Re: Cerificate Concern about Cloudflare's DNS

On 04/11/2016 07:01, Nigel Jones wrote: On 11/09/2016 12:37 AM, Han Yuwei wrote: I am using Cloudflare's DNS service and I found that Cloudflare has issued a certficate to their server including my domain. But I didn't use any SSL service of theirs. Is that ok to Mozilla's policy? Issued