RE: Certificates with less than 64 bits of entropy

2017-08-12 Thread Ben Wilson via dev-security-policy
They are working on the issue and preparing a report. From: Eric Mill [mailto:e...@konklone.com] Sent: Saturday, August 12, 2017 9:03 PM To: Ben Wilson Cc: Alex Gaynor ; Jonathan Rudenberg ;

Re: Certificates with less than 64 bits of entropy

2017-08-12 Thread Eric Mill via dev-security-policy
If they're not going to revoke within 24 hours and willingly violate that part of the policy, I would at least expect them to, within that 24 hours, produce a description of why this happened, what they're doing to fix it, and when they expect the certificates to be replaced (along with an

RE: Certificates with reserved IP addresses

2017-08-12 Thread Ben Wilson via dev-security-policy
We’ll look into these on Monday and get back to you. From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Saturday, August 12, 2017 8:56 PM To: Ben Wilson Cc: Jonathan Rudenberg ; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re:

More certificates with invalid dnsNames

2017-08-12 Thread Jonathan Rudenberg via dev-security-policy
I’ve found 54 additional unexpired unrevoked certificates that are known to CT and trusted by NSS containing dnsNames that are invalid. The errors include invalid characters, internal names, and wildcards in the wrong position. The full list is here: https://misissued.com/batch/8/ There are a

Re: Certificates with reserved IP addresses

2017-08-12 Thread Ryan Sleevi via dev-security-policy
Do you have an estimate on when you can provide an explanation to the community about how/why this happened, how many certificates it affected, and what steps DigiCert is taking to prevent these issues in the future? Do you have details about why DigiCert failed to detect these, and what steps

RE: Certificates with reserved IP addresses

2017-08-12 Thread Jeremy Rowley via dev-security-policy
The CTJ one was issued in 2013 and is a five year cert (which was also prohibited under the BRs at that time_. It should have been revoked much earlier, of course. -Original Message- From: dev-security-policy

Re: 2017.08.10 Let's Encrypt Unicode Normalization Compliance Incident

2017-08-12 Thread Eric Mill via dev-security-policy
On Fri, Aug 11, 2017 at 5:20 PM, Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > If one integrates a project like certlint/cablint into the cert issuance > pipeline, one suddenly takes on supplemental responsibility for certlint's > bugs or changes. >

Re: Certificates with reserved IP addresses

2017-08-12 Thread Peter Bowen via dev-security-policy
Congratulations on finding something not caught by certlint. It turns out that cabtlint does zero checks for reserved IPs. Something else for my TODO list. On Sat, Aug 12, 2017 at 6:52 PM, Jonathan Rudenberg via dev-security-policy wrote: > Baseline

RE: Certificates with reserved IP addresses

2017-08-12 Thread Ben Wilson via dev-security-policy
Thanks. We've sent an email to the operators of the first two CAs (TI Trust Technologies and Cybertrust Japan) that they need to revoke those certificates. Thanks again, Ben -Original Message- From: dev-security-policy

Certificates with reserved IP addresses

2017-08-12 Thread Jonathan Rudenberg via dev-security-policy
Baseline Requirements section 7.1.4.2.1 prohibits ipAddress SANs from containing IANA reserved IP addresses and any certificates containing them should have been revoked by 2016-10-01. There are seven unexpired unrevoked certificates that are known to CT and trusted by NSS containing reserved

Re: Symantec Update on SubCA Proposal

2017-08-12 Thread Nick Lamb via dev-security-policy
One good thing we should be able to hope for from a change in ownership even if the personnel and equipment are the same or a great deal in common: improved management oversight. In my view the most worrying underlying problem at Symantec was the inadequate oversight. Senior management at the

Re: TrustCor root inclusion request

2017-08-12 Thread Neil Dunbar via dev-security-policy
Andrew. Thank you for the review, comments and questions on TrustCor's policy documents. We are in the process of reviewing your comments and formulating a response to each. We will provide our response and updates before EOB Tuesday, August 15th, published to this discussion list. Have

Re: Symantec Update on SubCA Proposal

2017-08-12 Thread wizard--- via dev-security-policy
Steve, Thank you for responding relatively promptly (at least as compared to previous Symantec responses) to Devon's questions. However, these responses seem to imply that a side effect of the sale *is* to skirt the remediation requirements imposed by Google and Mozilla. In particular, the

Re: TrustCor root inclusion request

2017-08-12 Thread Neil Dunbar via dev-security-policy
Andrew. Thank you for the review, comments and questions on TrustCor's policy documents. We are in the process of reviewing your comments and formulating a response to each. We will provide our response and updates before EOB Tuesday, August 15th, published to this discussion list. Have