Re: DigiCert-Symantec Announcement

I agree with the high-level concepts, although I would probably like to add something about "being good stewards of technologies that play a critical role in the global economy." (Feel free to use your own

Re: StartCom cross-signs disclosed by Certinomis

On 8/3/17 5:27 PM, Kathleen Wilson via dev-security-policy wrote: > On Thursday, August 3, 2017 at 4:34:27 PM UTC-7, Ryan Sleevi wrote: > In bug #1311832 there is a note about cross-signing: > "[1] The new (replacement) root certificates may be cross-signed by the > Affected Roots. However, the

Re: StartCom cross-signs disclosed by Certinomis

On Thu, Aug 03, 2017 at 08:47:17AM +, Inigo Barreira via dev-security-policy wrote: > And what I don´t understand are those comments of "very sloppy isuance > practices" , "many non-BR compliants", "specially given the historic issues > with StartCom" and consider them very unfair. These are

Re: StartCom cross-signs disclosed by Certinomis

On Thu, Aug 03, 2017 at 11:20:19AM +, Inigo Barreira via dev-security-policy wrote: > We´re revoking all those unrevoked certs to avoid any more problems. Revoking problematic certificates doesn't avoid any problems. The problems have already been created. > Regarding the pre-certs, yes, I

Re: StartCom cross-signs disclosed by Certinomis

On Thu, Aug 03, 2017 at 01:43:08PM -0700, Kathleen Wilson via dev-security-policy wrote: > However, I think it is fine for Certinomis to cross-sign with new StartCom > subCA certs, as long as Certinomis ensures that Mozilla's Root Store > Policy is being followed. ... which they didn't. So

RE: DigiCert-Symantec Announcement

Hey Peter, I think the Mozilla and Google plans both stand as-is, although probably need an updated based on this announcement. I'm hoping that the high-level concepts remain unchanged: - Migrate to a new infrastructure - Audit the migration and performance to ensure

Re: StartCom cross-signs disclosed by Certinomis

On Thu, Aug 03, 2017 at 05:27:03PM -0700, Kathleen Wilson via dev-security-policy wrote: > Along this line of discussion, I have not felt comfortable with StartCom's > current root inclusion request (bug #1381406), because Hanno raised a > concern about the private key used by the new root is

RE: DigiCert-Symantec Announcement

We aren't sure at this point. DigiCert already runs two (almost three) logs. Symantec runs two logs. Although CT plans are still under discussion, I don't think the ecosystem needs four CT logs operated by a single CA. Regardless, we'll do whatever is best to support CT and the DigiCert and

RE: DigiCert-Symantec Announcement

Hi Doug, We are confident in our ability to hit the deadlines set by both Mozilla and Google. Our understanding is that all new validations will be done by DigiCert on Dec 1, 2017. We plan to start re-validating information as soon as practical under the Sub CA agreement. Our mutual goal is to

Re: Certificate with invalid dnsName issued from Baltimore intermediate

On Thu, Aug 03, 2017 at 02:38:33PM +, Ben Wilson via dev-security-policy wrote: > Here is the response from Intesa Sanpaolo concerning the disruption that > revocation will cause to their banking operations: [...] > Concerning the CA revocation, first of all, I want to underline that for us

Re: DigiCert-Symantec Announcement

On 02/08/2017 23:12, Jeremy Rowley wrote: Hi everyone, Today, DigiCert and Symantec announced that DigiCert is acquiring the Symantec CA assets, including the infrastructure, personnel, roots, and platforms. At the same time, DigiCert signed a Sub CA agreement wherein we will validate and

Re: StartCom cross-signs disclosed by Certinomis

On Thursday, August 3, 2017 at 4:34:27 PM UTC-7, Ryan Sleevi wrote: > I do hope you can clarify whether remediations apply to keys operated by > organizations, or whether they apply to the organization themselves. https://bugzilla.mozilla.org/show_bug.cgi?id=1311832 says: "StartCom may apply

Re: StartCom cross-signs disclosed by Certinomis

On Friday, August 4, 2017 at 8:02:16 AM UTC+9, Kathleen Wilson wrote: > On Thursday, August 3, 2017 at 3:09:25 PM UTC-7, Kurt Roeckx wrote: > > I would really like to see that they have at least opened a bug to > > request the inclusion of that CA before it's cross-signed. > > Here's StartCom's

Re: StartCom cross-signs disclosed by Certinomis

On Thursday, August 3, 2017 at 3:09:25 PM UTC-7, Kurt Roeckx wrote: > I would really like to see that they have at least opened a bug to > request the inclusion of that CA before it's cross-signed. Here's StartCom's current root inclusion request:

Re: Remove old WoSign root certs from NSS

On Monday, July 10, 2017 at 12:47:31 PM UTC-7, Kathleen Wilson wrote: > I also think we should remove the old WoSign root certs from NSS. > > Reference: > https://wiki.mozilla.org/CA/Additional_Trust_Changes#WoSign > ~~ > Mozilla currently recommends not trusting any certificates issued by this

Re: DigiCert-Symantec Announcement

I believe all of the non expired CAs listed are in scope. > On Aug 2, 2017, at 7:44 PM, Peter Bowen wrote: > > On Wed, Aug 2, 2017 at 2:12 PM, Jeremy Rowley via dev-security-policy > wrote: >> Today, DigiCert and Symantec announced that

Re: StartCom cross-signs disclosed by Certinomis

On Thu, Aug 03, 2017 at 01:43:08PM -0700, Kathleen Wilson via dev-security-policy wrote: > On Thursday, August 3, 2017 at 9:49:41 AM UTC-7, Jonathan Rudenberg wrote: > > Even absent the BR-violating certificates and disclosure timeline, I > > believe this cross-sign is problematic because it

RE: DigiCert-Symantec Announcement

> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+doug.beattie=globalsign@lists.mozilla.org] On Behalf Of > Jeremy Rowley via dev-security-policy > Sent: Wednesday, August 2, 2017 10:54 PM > To: Peter Kurrasch ;

Re: DigiCert-Symantec Announcement

On Wednesday, August 2, 2017 at 6:44:51 PM UTC-7, Peter Bowen wrote: > On Wed, Aug 2, 2017 at 2:12 PM, Jeremy Rowley via dev-security-policy > wrote: > > Today, DigiCert and Symantec announced that DigiCert is acquiring the > > Symantec CA assets, including

Re: StartCom cross-signs disclosed by Certinomis

> On Aug 3, 2017, at 12:26, Kathleen Wilson via dev-security-policy > wrote: > > All, > > I have conflicting opinions about this situation: > > On the one hand, I want to see better behavior, and am inclinded to add these > two intermediate certs to

Re: StartCom cross-signs disclosed by Certinomis

All, I have conflicting opinions about this situation: On the one hand, I want to see better behavior, and am inclinded to add these two intermediate certs to OneCRL, and tell StartCom and Certinomis to start over and do things right. On the other hand, I'm not convinced yet that the issued

RE: StartCom cross-signs disclosed by Certinomis

Thanks Jonathan Yes, I answered after just looking quickly about the main issues not focusing on the different sizes, etc. As you can see in the post, we have revoked all of them. Best regards Iñigo Barreira CEO StartCom CA Limited -Original Message- From: Jonathan Rudenberg

Re: StartCom cross-signs disclosed by Certinomis

> On Aug 3, 2017, at 04:47, Inigo Barreira via dev-security-policy > wrote: > > For those which are not revoked are due to use different curves (P-384, > P-521) that have been discussed in the mozilla m.d.s.p as well as the CAB > Forum and there´s no

Re: Certificate with invalid dnsName issued from Baltimore intermediate

Ouch. Thanks for clarifying. Alex On Thu, Aug 3, 2017 at 10:46 AM, Ben Wilson wrote: > There are over 300 publicly visible servers, according to Censys.IO. > > > > *From:* Alex Gaynor [mailto:agay...@mozilla.com] > *Sent:* Thursday, August 3, 2017 8:42 AM > *To:* Ben

RE: Certificate with invalid dnsName issued from Baltimore intermediate

There are over 300 publicly visible servers, according to Censys.IO. From: Alex Gaynor [mailto:agay...@mozilla.com] Sent: Thursday, August 3, 2017 8:42 AM To: Ben Wilson Cc: Nick Lamb ; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re:

Re: Certificate with invalid dnsName issued from Baltimore intermediate

If I'm reading this correctly, these certificates are for internal services, not publicly accessible. Could they add their intermediate directly to these trust stores, allowing you to revoke it? Failing that, it sounds like OneCRL would be an appropriate remedy. Alex On Thu, Aug 3, 2017 at

RE: Certificate with invalid dnsName issued from Baltimore intermediate

Nick and Mozilla Community, Here is the response from Intesa Sanpaolo concerning the disruption that revocation will cause to their banking operations: Good Evening Ben, About the problem with the certificate you recently notified us, I confirm you that we have replaced the certificates

RE: Certificate with invalid dnsName issued from Baltimore intermediate

That would be fine. Also, we have given Intesa Sanpaolo a scheduled revocation date of 15 August 2017, and I'm waiting to hear back. -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+ben=digicert@lists.mozilla.org] On Behalf Of Nick Lamb via

Re: StartCom cross-signs disclosed by Certinomis

From RFC6962: The signature on the TBSCertificate indicates the certificate authority's intent to issue a certificate. This intent is considered binding (i.e., misissuance of the Precertificate is considered equal to misissuance of the final certificate). I don't think this text could be any

Re: DigiCert-Symantec Announcement

Hi Jeremy, Will the certificates being issued for Symantec starting December 1st be issued under the existing DC roots, or under new roots? Alex On Wed, Aug 2, 2017 at 5:12 PM, Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi everyone, > > > > Today,

RE: StartCom cross-signs disclosed by Certinomis

We´re revoking all those unrevoked certs to avoid any more problems. Regarding the pre-certs, yes, I was aware of the discussion. As Gerv says there´s a binding statement of "intent" ... the problem with these is that we generated the pre-certs and logged in the CT log, where crt.sh looks or

RE: StartCom cross-signs disclosed by Certinomis

1. It is well established that logging pre-certs constitutes "issuance" for purposes of policy compliance. If you wouldn't issue it, don't log it. Not difficult. And this isn't new. 2. When a new path comes into existence in the Web PKI you don't need to explicitly "use" it as a CA, the

Re: StartCom cross-signs disclosed by Certinomis

On 03/08/2017 10:47, Inigo Barreira via dev-security-policy wrote> 1. The un-revoked test certificates are those pre-sign ones with uncompleted > ctlog. So they are not completed certificates. > https://crt.sh/?opt=cablint=134843670 > https://crt.sh/?opt=cablint=134843674 >

RE: StartCom cross-signs disclosed by Certinomis

Hi, this is my reply in the bugzilla Hi all, what Fanck is saying is true and we haven´t started to issue any cert using this new path. Regarding the info that is in this bug I´m really shocked because the majority of them are revoked and don´t understand why have been included here. For

Re: StartCom cross-signs disclosed by Certinomis

Hello, the 2 CA certificates signed by Certinomis has been retained till a full successful webtrust audit. On end of June the audit report form PwC was available but with still some minor issues. I asked StartCom to correct them. On July 14th the audit report and the policy were updated and

Re: TunRootCA2 root inclusion request

Dear Gerv, Given that some of these are BR requirements, why were these controls not in place already? ==> Some of these controls are already in place (such as the field CN and Subject Alternative Name that does not contain a private IP address). In addition to that NDCA has implemented a

Re: StartCom cross-signs disclosed by Certinomis

On Thursday, 3 August 2017 02:12:18 UTC+2, Matt Palmer wrote: > On Wed, Aug 02, 2017 at 06:38:44PM -0400, Jonathan Rudenberg via > dev-security-policy wrote: > > I think the correct response is to add both intermediates to OneCRL > > immediately, especially given the historic issues with