Re: CAA Certificate Problem Report

2017-09-09 Thread Peter Bowen via dev-security-policy
On Sat, Sep 9, 2017 at 1:59 PM, Andrew Ayer wrote: > On Sat, 9 Sep 2017 13:53:52 -0700 > Peter Bowen via dev-security-policy > wrote: > >> On Sat, Sep 9, 2017 at 1:50 PM, Andrew Ayer >> wrote: >> > >> > drill is

Re: Certificate with Debian weak key issued by Let's Encrypt

2017-09-09 Thread josh--- via dev-security-policy
Thank you for bringing this oversight to our attention. The certificate in question has been revoked. The original incident report from July 16 was accidentally considered closed on the basis of a fix for our infrastructure without actually revoking the certificate that led to the report.

Re: CAs not compliant with CAA CP/CPS requirement

2017-09-09 Thread Jeremy Rowley via dev-security-policy
I would have checked Sept 9th as Sept 8th at midnight would be the last possible moment when the CPS could be updated and still be compliant. > On Sep 9, 2017, at 3:33 PM, Andrew Ayer via dev-security-policy > wrote: > > On Fri, 8 Sep 2017 15:22:52 -0700

Re: CAA Certificate Problem Report

2017-09-09 Thread Andrew Ayer via dev-security-policy
On Sat, 9 Sep 2017 13:53:52 -0700 Peter Bowen via dev-security-policy wrote: > On Sat, Sep 9, 2017 at 1:50 PM, Andrew Ayer > wrote: > > > > drill is buggy and insecure. Obviously, such implementations can > > be found. Note that

Re: CAA Certificate Problem Report

2017-09-09 Thread Peter Bowen via dev-security-policy
On Sat, Sep 9, 2017 at 1:50 PM, Andrew Ayer wrote: > > drill is buggy and insecure. Obviously, such implementations can > be found. Note that drill is just a "debugging/query" tool, not a > resolver you would actually use in production. You'll find that the >

Re: CAA Certificate Problem Report

2017-09-09 Thread Peter Bowen via dev-security-policy
On Sat, Sep 9, 2017 at 11:50 AM, Andrew Ayer wrote: > On Sat, 9 Sep 2017 08:49:01 -0700 > Peter Bowen via dev-security-policy > wrote: > >> On Sat, Sep 9, 2017 at 3:57 AM, Jonathan Rudenberg >> wrote: >> > >> >>

Certificate with Debian weak key issued by Let's Encrypt

2017-09-09 Thread Hanno Böck via dev-security-policy
Hi, A while ago I tested how some CAs would react to certificate requests with debian weak keys. I was able to get a certificate from Let's Encrypt with a debian weak key. Here is it: https://crt.sh/?id=173588030 I reported this to Let's Encrypt. They told me that they are aware they weren't

Re: CAs not compliant with CAA CP/CPS requirement

2017-09-09 Thread Andrew Ayer via dev-security-policy
On Fri, 8 Sep 2017 15:22:52 -0700 (PDT) Andy Warner via dev-security-policy wrote: > Google Trust Services published updated CP & CPS versions earlier > today covering CAA checking. I'd suggest checking all CAs again > tomorrow. Given the range of timezones

Re: CAA Certificate Problem Report

2017-09-09 Thread Andrew Ayer via dev-security-policy
On Sat, 9 Sep 2017 06:57:39 -0400 Jonathan Rudenberg via dev-security-policy wrote: > > > On Sep 9, 2017, at 06:19, Peter Bowen via dev-security-policy > > wrote: > > > > In all three of these cases, the "domain's

Re: CAA Certificate Problem Report

2017-09-09 Thread Peter Bowen via dev-security-policy
On Sat, Sep 9, 2017 at 3:57 AM, Jonathan Rudenberg wrote: > >> On Sep 9, 2017, at 06:19, Peter Bowen via dev-security-policy >> wrote: >> >> In all three of these cases, the "domain's zone does not have a DNSSEC >> validation chain

Re: CAs not compliant with CAA CP/CPS requirement

2017-09-09 Thread identrust--- via dev-security-policy
On Friday, September 8, 2017 at 5:57:44 PM UTC-4, Jeremy Rowley wrote: > Hi Andrew, > > I'm not certain how to update the previous Mozilla response with respect to > CAA, but we added the following as authorized CAA records: > Digicert.com > *.digicert > Digicert.net.jp > Cybertrust.net.jp > >

Re: CAA Certificate Problem Report

2017-09-09 Thread Jonathan Rudenberg via dev-security-policy
> On Sep 9, 2017, at 06:19, Peter Bowen via dev-security-policy > wrote: > > In all three of these cases, the "domain's zone does not have a DNSSEC > validation chain to the ICANN root" -- I requested SOA, DNSKEY, NS, > and CAA records types for each zone

Re: CAA Certificate Problem Report

2017-09-09 Thread Jonathan Rudenberg via dev-security-policy
For reference, here is the relevant bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1398428 > On Sep 9, 2017, at 05:21, Jeremy Rowley via dev-security-policy > wrote: > > big.basic.caatestsuite.com > > [JR] We only check CAA records with UDP to keep

Re: CAA Certificate Problem Report

2017-09-09 Thread Peter Bowen via dev-security-policy
> Certificate 3 contains a single DNS identifier for > refused.caatestsuite-dnssec.com > Attempts to query the CAA record for this DNS name result in a REFUSED DNS > response. Since there is a DNSSEC validation chain from this zone to the > ICANN root, CAs are not permitted to treat the lookup

Re: CAs not compliant with CAA CP/CPS requirement

2017-09-09 Thread Andy Warner via dev-security-policy
Google Trust Services published updated CP & CPS versions earlier today covering CAA checking. I'd suggest checking all CAs again tomorrow. Given the range of timezones CA operational staffs operate across, some may not have had a chance to publish their updates yet. In terms of the 'rush' I

Re: PROCERT issues

2017-09-09 Thread PSC Procert via dev-security-policy
Good Afertnoon In order to answer the points of the wiki, we make the following explanations Issue D: URI in CN and dnsName SAN (December 2016) Procert: Based on internals test and validation, we contacting the client, we asking for a new CSR and proceed to revoke and reissue the

CAA Certificate Problem Report

2017-09-09 Thread Jeremy Rowley via dev-security-policy
Hi everyone, We received a certificate problem report at 11 pm on Sep 8, 2017 from Andrew Ayer alleging the mis-issuance of 6 certificates because of a failure to properly verify CAA records. I'm sharing the report here because there are questions about CAA record checking that we feel