Re: Regarding CA requirements as to technical infrastructure utilized in automated domain validations, etc. (if any)

On Thursday, July 20, 2017 at 3:32:29 PM UTC-5, Ryan Sleevi wrote: > Broadly, yes, but there's unfortunately a shade of IP issues that make it > more difficult to contribute as directly as Gerv proposed. Gerv may accept > any changes to the Mozilla side, but if the goal is to modify the Baseline

Re: Regarding CA requirements as to technical infrastructure utilized in automated domain validations, etc. (if any)

On Thursday, July 20, 2017 at 8:13:23 PM UTC-5, Nick Lamb wrote: > On Friday, 21 July 2017 01:13:15 UTC+1, Matthew Hardeman wrote: > > As easily as that, one could definitely get a certificate issued without > > breaking most of the internet, without leaving much of a trace, and without > >

Re: Regarding CA requirements as to technical infrastructure utilized in automated domain validations, etc. (if any)

On Friday, 21 July 2017 01:13:15 UTC+1, Matthew Hardeman wrote: > As easily as that, one could definitely get a certificate issued without > breaking most of the internet, without leaving much of a trace, and without > failing domain validation. One trace this would leave, if done using Let's

Re: Regarding CA requirements as to technical infrastructure utilized in automated domain validations, etc. (if any)

On Thu, Jul 20, 2017 at 8:13 PM, Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > My purpose in writing this was to illustrate just how easily someone with > quite modest resources and the right skill set can presently overcome the > technical checks of

Re: Regarding CA requirements as to technical infrastructure utilized in automated domain validations, etc. (if any)

One (Hypothetical) Concrete Example of a Practical DNS Validation Attack: (Author's note: I've chosen for this example to utilize the Let's Encrypt CA as the Certificate Authority involved and I have chosen as a target for improper validation the domain eff.org. Neither of these is in any way

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

Thanks to all of you who reviewed and commented on this request from Guangdong Certificate Authority (GDCA) to include the GDCA TrustAUTH R5 ROOT certificate, turn on the Websites trust bit, and enabled EV treatment. I believe that all of the concerns that were raised in this discussion have

RE: dNSName containing '/' / low serial number entropy

Hello: Siemens Issuing CA Internet Server 2016 was taken offline upon this report while Siemens and QuoVadis investigate. It will not issue certificates until the problem is resolved. Kind regards, Stephen Davidson QuoVadis -Original Message- From: dev-security-policy

Re: Regarding CA requirements as to technical infrastructure utilized in automated domain validations, etc. (if any)

On Thursday, July 20, 2017 at 9:39:40 AM UTC-5, Gervase Markham wrote: > Your point, in the abstract, is a reasonable one, but so is your further > point about trade-offs. The only way we can really make progress is for > you to propose specific changes to the language, and we can then discuss >

RE: Certificate with invalid dnsName

Hello: Thanks for pointing these out. Regarding the two problematic certificates noted below chained to QuoVadis: Changes were made to our systems last year dealing these very issues, and it appears that these remaining certificates were not revoked. They will now be revoked. Leading hyphens

Re: Symantec Update on SubCA Proposal

Hi Steve, Thanks for posting this. I appreciate the level of detail provided, which is useful in giving us a basis for discussion. It's a little regrettable, though, that it was published a couple of weeks after we were led to expect it... One note before we start: Symantec's business dealings

Faking a key compromise event with franken-keys

All, Today Hanno Böck blogged about performing surgery on ASN.1-encoded RSA private keys to make them appear to correspond to a target certificate's public key, and using the franken-key file to appear to legitimately hold the private key of that target certificate.

Re: Certificate with invalid dnsName issued from Baltimore

I've contacted the DHS PKI PMO and informed the DoD PKI PMO of the mis-issued certificates. Kenneth Myers Supporting the GSA Federal PKI Management Authority Manager Protiviti | 1640 King Street | Suite #400 | Alexandria | VA 22314 US | Protiviti.com NOTICE: Protiviti is a global consulting

RE: Validation of Domains for secure email certificates

Hi Gerv, OK, I see your point. We'll come up with what we think are reasonable methods and document that in the CPS. That should work better than Gerv's vacation thoughts! Doug > -Original Message- > From: dev-security-policy [mailto:dev-security-policy- >

Re: Regarding CA requirements as to technical infrastructure utilized in automated domain validations, etc. (if any)

On 20/07/2017 16:39, Gervase Markham wrote: On 18/07/17 17:51, Matthew Hardeman wrote: The broader point I wish to make is that much can be done do improve the strength of the various subset of the 10 methods which do rely solely on network reliant automated validation methodologies. The

Re: Validation of Domains for secure email certificates

On 20/07/2017 14:04, Doug Beattie wrote: Gerv, In general, it is common to have an S/MIME certificate for an e-mail account that does *not* belong to the domain owner. This is especially true if the domain is a public/shared/ISP e-mail domain and is set up to allow some way for the e-mail

RE: [EXT] Symantec Update on SubCA Proposal

1) December 1, 2017 is the earliest credible date that any RFP respondent can provide the Managed CA solution proposed by Google, assuming a start date of August 1, 2017. Only one RFP respondent initially proposed a schedule targeting August 8, 2017 (assuming a start date of June 12,

Re: Validation of Domains for secure email certificates

Hi Doug, On 20/07/17 13:04, Doug Beattie wrote: > Since there is no BR equivalent for issuance of S/MIME certificates (yet), > this is all CAs have to go on. I was curious if you agree that all of these > methods meet the above requirement: As you might imagine, this question puts me in a

RE: [EXT] Symantec Update on SubCA Proposal

We believe our proposed dates reflect an aggressive but achievable period of time to implement the SubCA proposal and allow impacted organizations the time needed to replace, test and operationalize replacement certificates in their infrastructure to mitigate interoperability and compatibility

RE: [EXT] Symantec Update on SubCA Proposal

> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > David E. Ross via dev-security-policy > Sent: Wednesday, July 19, 2017 12:48 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject:

RE: [EXT] Symantec Update on SubCA Proposal

> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Jakob Bohm via dev-security-policy > Sent: Wednesday, July 19, 2017 12:22 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re:

Re: Miss-issuance: URI in dNSName SAN

On 19/07/17 14:53, Alex Gaynor wrote: > I'd like to report the following instance of miss-issuance: Thank you. Again, I have drawn this message to the attention of the CAs concerned (Government of Venezuela and Camerfirma). Gerv ___ dev-security-policy

Re: dNSName containing '/' / low serial number entropy

On 18/07/17 23:25, Charles Reiss wrote: > https://crt.sh/?id=174827359 is a certificate issued by D-TRUST SSL I'm supposed to be on holiday :-), but I have emailed the 3 CAs concerned drawing these issues to their attention, and asking them to comment here when they have discovered the cause.

Re: Regarding CA requirements as to technical infrastructure utilized in automated domain validations, etc. (if any)

On 18/07/17 17:51, Matthew Hardeman wrote: > The broader point I wish to make is that much can be done do improve the > strength of the various subset of the 10 methods which do rely solely on > network reliant automated validation methodologies. The upside would be a > significant,

Re: How long to resolve unaudited unconstrained intermediates?

On 12/07/17 21:18, Ben Wilson wrote: > For CAs with emailProtection and proper name constraints, where would such > CAs appear in > https://crt.sh/mozilla-disclosures? > >

Validation of Domains for secure email certificates

Gerv, Mozilla Policy 2.5 states this: For a certificate capable of being used for digitally signing or encrypting email messages, the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in

RE: Certificate with invalid dnsName

Thanks for this info. These Startcom certs were issued from the old system. We´ll contact the users and act accordingly. Best regards Iñigo Barreira CEO StartCom CA Limited -Original Message- From: dev-security-policy