Re: WoSign new system passed Cure 53 system security audit

2017-07-12 Thread Richard Wang via dev-security-policy
Hi Ryan, We got confirmation from Cure 53 that new system passed the full security audit. Please contact Cure 53 directly to verify this, thanks. We don't start the BR audit now. Best Regards, Richard On 12 Jul 2017, at 22:09, Ryan Sleevi > wrote:

Re: How long to resolve unaudited unconstrained intermediates?

2017-07-12 Thread Kurt Roeckx via dev-security-policy
On Wed, Jul 12, 2017 at 12:12:13PM -0400, Ryan Sleevi wrote: > > Consider, for example, a client that does not support path discovery > (which, for example, includes most actively-deployed OpenSSL versions). If > one were to extract certdata.txt into trust and distrust records, with the >

RE: How long to resolve unaudited unconstrained intermediates?

2017-07-12 Thread Ben Wilson via dev-security-policy
Even though I have until 15-Jan-2018 to comply, I have uploaded a few CAs where EKU contains emailProtection, and here a few more questions. For CAs with emailProtection and proper name constraints, where would such CAs appear in

Re: How long to resolve unaudited unconstrained intermediates?

2017-07-12 Thread Ryan Sleevi via dev-security-policy
On Wed, Jul 12, 2017 at 10:40 AM, Kurt Roeckx via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 2017-07-12 16:12, Ryan Sleevi wrote: > >> I don't know if this currently happens, but I would like to see all CA >>> certificates that are in OneCRL but are not revoked to be

Re: How long to resolve unaudited unconstrained intermediates?

2017-07-12 Thread Kurt Roeckx via dev-security-policy
On 2017-07-12 16:12, Ryan Sleevi wrote: I don't know if this currently happens, but I would like to see all CA certificates that are in OneCRL but are not revoked to be added to the root store as distrusted too. Why? I can share reasons why it might not be desirable, but rather than start out

Leaking private keys through web servers

2017-07-12 Thread Hanno Böck via dev-security-policy
Hello, I recently did an investigation where I tried to simply download private keys from web servers with common filenames. I collected these filenames simply from common tutorials on the web (server.key, privatekey.key, myserver.key, key.pem and [hostname].key with and without www). In several

Re: How long to resolve unaudited unconstrained intermediates?

2017-07-12 Thread Ryan Sleevi via dev-security-policy
On Wed, Jul 12, 2017 at 6:03 AM, Kurt Roeckx via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 2017-07-11 15:56, Nick Lamb wrote: > >> On Tuesday, 11 July 2017 10:56:43 UTC+1, Kurt Roeckx wrote:> >> >>> So at least some of them have been notified more than 3 months

Re: WoSign new system passed Cure 53 system security audit

2017-07-12 Thread Ryan Sleevi via dev-security-policy
On Tue, Jul 11, 2017 at 8:18 PM, Richard Wang wrote: > Hi all, > > Your reported BR issues is from StartCom, not WoSign, we don't use the new > system to issue any certificate now since the new root is not generated. > PLEASE DO NOT mix it, thanks. > > Best Regards, > >

Re: How long to resolve unaudited unconstrained intermediates?

2017-07-12 Thread Kurt Roeckx via dev-security-policy
On 2017-07-11 15:56, Nick Lamb wrote: On Tuesday, 11 July 2017 10:56:43 UTC+1, Kurt Roeckx wrote:> So at least some of them have been notified more than 3 months ago, and a bug was filed a month later. I think you already gave them too much time to at least respond to it, and suggest that you