Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

2017-08-14 Thread Eric Mill via dev-security-policy
On Fri, Aug 11, 2017 at 4:43 PM, identrust--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thursday, August 10, 2017 at 11:51:54 PM UTC-4, Eric Mill wrote: > > On Thu, Aug 10, 2017 at 11:34 AM, identrust--- via dev-security-policy < > >

Re: TrustCor root inclusion request

2017-08-14 Thread Jakob Bohm via dev-security-policy
On 14/08/2017 21:48, Andrew Ayer wrote: On Mon, 14 Aug 2017 20:27:05 +0100 Neil Dunbar via dev-security-policy wrote: Note that TrustCor is capable of removing SHA-1 as a signature hash on OCSP responses, if the community determines it presents risk to

RE: Symantec Update on SubCA Proposal

2017-08-14 Thread Jeremy Rowley via dev-security-policy
Hi Jakob, Your below description raises two questions of general interest (though not of interest to the Mozilla root program): 1. Will DigiCert establish cross-signatures from the old/historic Symantec roots to continuing DigiCert roots and subCAs? [JR] We won’t be cross-signing from

New undisclosed Camerfirma intermediates

2017-08-14 Thread Jonathan Rudenberg via dev-security-policy
Two intermediates issued by AC Camerfirma that are not disclosed in the CCADB were logged today: - https://crt.sh/?sha256=201c0617cc3310c7f29fcbe46b57459bc6786a8ba2753018eb27c1e800168a2e=mozilladisclosure (issued on 2017-05-25) -

Re: Certificate issued by D-TRUST SSL Class 3 CA 1 2009 with short SerialNumber

2017-08-14 Thread Eric Mill via dev-security-policy
Hi Arno, Martin, On Mon, Aug 14, 2017 at 11:37 AM, Arno Fiedler via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > As result we confirm to do the following steps and report about the > implementation latest until 15-09-2017 > • Contact all effected customers, inform

RE: Certificates with reserved IP addresses

2017-08-14 Thread Jeremy Rowley via dev-security-policy
Hey Ryan, Here's the report from CTJ: Number of affected certificates: One. After receiving the revocation request from DigiCert, CTJ scanned their certificate database for additional certificates. This is the only active certificate with a reserved IP. CTJ issued the

RE: Certificates with reserved IP addresses

2017-08-14 Thread Ben Wilson via dev-security-policy
Dear Ryan, Here is an initial, interim response to your email as it relates to certificates issued by the TI Trust Technologies Global CA. (Jeremy Rowley or I will be sending you a separate email shortly that reports on this issue with regard to Cybertrust Japan.) I will supplement this

Re: 2017.08.10 Let's Encrypt Unicode Normalization Compliance Incident

2017-08-14 Thread Rob Stradling via dev-security-policy
On 11/08/17 16:40, Nick Lamb via dev-security-policy wrote: On Friday, 11 August 2017 14:19:57 UTC+1, Alex Gaynor wrote: Given that these were all caught by cablint, has Let's Encrypt considered integrating it into your issuance pipeline, or automatically monitoring crt.sh (which runs cablint)

Re: TrustCor root inclusion request

2017-08-14 Thread Andrew Ayer via dev-security-policy
On Mon, 14 Aug 2017 20:27:05 +0100 Neil Dunbar via dev-security-policy wrote: > Note that TrustCor is capable of removing SHA-1 as a signature hash on > OCSP responses, if the community determines it presents risk to the > relying parties. However, this

RE: Certificates with less than 64 bits of entropy

2017-08-14 Thread Ben Wilson via dev-security-policy
As previously noted on this list, there are two Siemens CAs that have issued certificates with less than 64 bits of entropy. See https://misissued.com/batch/6/ The Siemens Issuing CA Internet 2013 is subordinate to a DigiCert-owned root, and the Siemens Issuing CA Internet 2016 is signed by Quo

Re: TrustCor root inclusion request

2017-08-14 Thread Neil Dunbar via dev-security-policy
Andrew, Many thanks for reading and commenting on the policy documents. In order to clarify and correct the issues which you highlight, new versions (at version 1.3.2) of both CP and CPS have been published. A summary of our actions follows. Paragraphs introduced with the text "" indicate our

Re: Certificate issued by D-TRUST SSL Class 3 CA 1 2009 with short SerialNumber

2017-08-14 Thread Jonathan Rudenberg via dev-security-policy
Hi Arno and Martin, > On Aug 14, 2017, at 11:44, Arno Fiedler wrote: > > Dear Forum, > > since the 07-07-2017, all new issued D-TRUST TLS-Certificates have at least > 64 bits of entropy in the serial number. > > Since 01-12-2016 D-TRUST TLS certificates requested

Re: Certificate issued by D-TRUST SSL Class 3 CA 1 2009 with short SerialNumber

2017-08-14 Thread Arno Fiedler via dev-security-policy
Dear Forum, since the 07-07-2017, all new issued D-TRUST TLS-Certificates have at least 64 bits of entropy in the serial number. Since 01-12-2016 D-TRUST TLS certificates requested via our enterprise platform have a serial number which includes at least 64 bits of entropy. We informed the

Re: Certificate issued by D-TRUST SSL Class 3 CA 1 2009 with short SerialNumber

2017-08-14 Thread Arno Fiedler via dev-security-policy
Dear Forum, since the 07-07-2017, all new issued D-TRUST TLS-Certificates have at least 64 bits of entropy in the serial number. Since 01-12-2016 D-TRUST TLS certificates requested via our enterprise platform have a serial number which includes at least 64 bits of entropy. We informed the

Re: Symantec Update on SubCA Proposal

2017-08-14 Thread Jakob Bohm via dev-security-policy
Your below description raises two questions of general interest (though not of interest to the Mozilla root program): 1. Will DigiCert establish cross-signatures from the old/historic Symantec roots to continuing DigiCert roots and subCAs? 2. Will DigiCert continue those Symantec services