Re: CA Problem Reporting Mechanisms

On Wednesday, May 17, 2017 at 11:24:54 AM UTC, Gervase Markham wrote: > Well, such contacts are normally per CA rather than per root. I guess we > could add it on the CA's entry. Tbh, I'm not really familiar with your salesforce setup, I was just using this as a stand-in for "place where CA can b

TrustCor root inclusion request

This request from TrustCor is to include the “TrustCor RootCert CA-1”, “TrustCor RootCert CA-2”, and “TrustCor ECA-1” root certificates and enable the Websites and Email trust bits. TrustCor, located in Canada, is a commercial organization that develops privacy protection services and issues ce

Re: Certigna Root Renewal Request

All, I will greatly appreciate your help in reviewing and commenting on this root inclusion request from Certigna. Thanks, Aaron ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-

Re: Hunting for intermediates that still haven't been disclosed to CCADB

On 17/05/17 15:49, Rob Stradling wrote: > The "Listed Here Since" timestamps for the 24 intermediates currently in > this category are set to today, because I don't have a time machine to > go back and find out how long they've actually been listed in this > category. ;-) Lack of time machine is

Re: Hunting for intermediates that still haven't been disclosed to CCADB

On 17/05/17 15:21, Gervase Markham via dev-security-policy wrote: On 17/05/17 15:15, Rob Stradling wrote: Shall I add the same two fields to https://crt.sh/mozilla-disclosures#disclosureincomplete as well? Yes, why not? :-) Gerv Done. The "Listed Here Since" timestamps for the 24 intermedi

Re: Hunting for intermediates that still haven't been disclosed to CCADB

On 17/05/17 15:15, Rob Stradling wrote: > Shall I add the same two fields to > https://crt.sh/mozilla-disclosures#disclosureincomplete as well? Yes, why not? :-) Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lis

Re: Hunting for intermediates that still haven't been disclosed to CCADB

On 17/05/17 15:12, Gervase Markham via dev-security-policy wrote: On 17/05/17 13:32, Rob Stradling wrote: I've just added two columns to https://crt.sh/mozilla-disclosures#undisclosed: - "Earliest SCT". - "Listed Here Since". Lovely! Now we just need a cert to be on the list so we can se

Re: Hunting for intermediates that still haven't been disclosed to CCADB

On 17/05/17 13:32, Rob Stradling wrote: > I've just added two columns to > https://crt.sh/mozilla-disclosures#undisclosed: > - "Earliest SCT". > - "Listed Here Since". Lovely! Now we just need a cert to be on the list so we can see what it looks like ;-) Gerv _

Re: Hunting for intermediates that still haven't been disclosed to CCADB

On 17/05/17 15:08, Rob Stradling wrote: > Incidentally, it's true that Mozilla have said that they don't care > about the Code Signing trust bit any more, but the > CKA_TRUST_CODE_SIGNING haven't yet been removed from certdata.txt. Bug? Yes, but a low priority one. Feel free to file :-) Gerv ___

Re: Configuring Graduated Trust for Non-Browser Consumption

On 17/05/17 12:55, Jakob Bohm wrote: > That is /human readable/ information, not /computer readable/ data that > can be imported by other libraries when those are used with the Mozilla > root program. Yes, indeed. But you asked where in certdata.txt those things are, and that page explains pretty

Re: Hunting for intermediates that still haven't been disclosed to CCADB

On 17/05/17 14:43, Kurt Roeckx via dev-security-policy wrote: On 2017-05-17 14:40, Rob Stradling wrote: On 12/05/17 16:37, Kurt Roeckx via dev-security-policy wrote: On 2017-05-11 19:05, Gervase Markham wrote: On 11/05/17 12:46, Rob Stradling wrote: There's a "Created by" field (Username, Ti

Re: Hunting for intermediates that still haven't been disclosed to CCADB

On 2017-05-17 14:40, Rob Stradling wrote: On 12/05/17 16:37, Kurt Roeckx via dev-security-policy wrote: On 2017-05-11 19:05, Gervase Markham wrote: On 11/05/17 12:46, Rob Stradling wrote: There's a "Created by" field (Username, Timestamp) and a "Last Modified By" field (Username, Timestamp) in

Re: Hunting for intermediates that still haven't been disclosed to CCADB

On 12/05/17 16:37, Kurt Roeckx via dev-security-policy wrote: On 2017-05-11 19:05, Gervase Markham wrote: On 11/05/17 12:46, Rob Stradling wrote: There's a "Created by" field (Username, Timestamp) and a "Last Modified By" field (Username, Timestamp) in the CCADB, but neither of these fields are

Re: Hunting for intermediates that still haven't been disclosed to CCADB

On 11/05/17 18:05, Gervase Markham via dev-security-policy wrote: On 11/05/17 12:46, Rob Stradling wrote: There's a "Created by" field (Username, Timestamp) and a "Last Modified By" field (Username, Timestamp) in the CCADB, but neither of these fields are currently provided in the public CSV rep

Re: Configuring Graduated Trust for Non-Browser Consumption

On 17/05/2017 13:29, Gervase Markham wrote: On 16/05/17 18:04, Jakob Bohm wrote: Could you please point out where in certdata.txt the following are expressed, as I couldn't find it in a quick scan: 1. The date restrictions on WoSign-issued certificates. 2. The EV trust bit for some CAs. I am

Re: [FORGED] Re: Configuring Graduated Trust for Non-Browser Consumption

On 2017-05-17 13:23, Michael Casadevall wrote: On 05/17/2017 05:04 AM, Kurt Roeckx wrote: If the key is compromised, you can't rely on any date information anymore, you need to revoke it completely and break things. Won't that only be true in certificates without SCTs? Once you have a SCT, yo

Re: Configuring Graduated Trust for Non-Browser Consumption

On 16/05/17 18:04, Jakob Bohm wrote: > Could you please point out where in certdata.txt the following are > expressed, as I couldn't find it in a quick scan: > > 1. The date restrictions on WoSign-issued certificates. > > 2. The EV trust bit for some CAs. I am surprised you are engaging in a dis

Re: CA Problem Reporting Mechanisms

On 16/05/17 02:26, userwithuid wrote: > After skimming the responses and checking a few CAs, I'm starting to > wonder: Wouldn't it be easier to just add another mandatory field to > the CCADB (e..g. "revocation contact"), requiring $URL or $EMAIL via > policy and just use that to provide a public l

Re: [FORGED] Re: Configuring Graduated Trust for Non-Browser Consumption

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/17/2017 05:04 AM, Kurt Roeckx wrote: > If the key is compromised, you can't rely on any date information > anymore, you need to revoke it completely and break things. > Won't that only be true in certificates without SCTs? Once you have a SC

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

在 2017年5月17日星期三 UTC+8下午5:18:59，Rob Stradling写道： > On 12/05/17 06:51, wangsn1206--- via dev-security-policy wrote: > > 在 2017年5月11日星期四 UTC+8下午5:58:00，Rob Stradling写道： > >> On 11/05/17 10:42, wangsn1206--- via dev-security-policy wrote: > >> > * CPS Appendix1: Certificate information of the pub

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

On 12/05/17 06:51, wangsn1206--- via dev-security-policy wrote: 在 2017年5月11日星期四 UTC+8下午5:58:00，Rob Stradling写道： On 11/05/17 10:42, wangsn1206--- via dev-security-policy wrote: * CPS Appendix1: Certificate information of the publicly trusted CAs: Most of the listed CAs can't be found in crt.sh

Re: [FORGED] Re: Configuring Graduated Trust for Non-Browser Consumption

On 2017-05-16 14:24, Michael Casadevall wrote: Maybe a bit out there, but an interesting thought none the less. It would definitely go a good way at preventing one root certificate from underpinning a large chunk of the internet. My thought here is if a large "Too Big to Fail" CA's private key wa