Re: FW: StartCom inclusion request: next steps

2017-09-19 Thread userwithuid via dev-security-policy
On Tue, Sep 19, 2017 at 3:09 PM, Nick Lamb via dev-security-policy wrote: > I have no doubt that this was obvious to people who have worked for a public > CA, but it wasn't obvious to me, so thank you for answering. I think these > answers give us good

Re: Old roots to new roots best practice?

2017-09-19 Thread userwithuid via dev-security-policy
On Monday, September 18, 2017 at 1:58:03 AM UTC, Ryan Sleevi wrote: > I agree, Gerv's remarks are a bit confusing with respect to the concern. > You are correct that the process of establishing a new root generally > involves the creation of a self-signed certificate, and then any > cross-signing

DigiCert mis-issuance report: rekeyed certificates

2017-09-19 Thread Jeremy Rowley via dev-security-policy
Hi all, On Friday, Sep 15, we discovered that 1090 certificates were rekeyed using expired domain validation documents. In each case, the original certificate's domain was properly verified at time of issuance using an approved method. Organization verification properly completed for each

Re: Public trust of VISA's CA

2017-09-19 Thread Matthew Hardeman via dev-security-policy
On Tuesday, September 19, 2017 at 10:13:26 AM UTC-5, Gervase Markham wrote: > >From the above, we see that Visa only issues certificates to their own > customers/clients, and not to the public. They believe that this permits > them to keep confidential details of the certificates which they wish

Re: CAA Certificate Problem Report

2017-09-19 Thread Matthew Hardeman via dev-security-policy
On Tuesday, September 19, 2017 at 10:37:20 AM UTC-5, Gervase Markham wrote: > On 19/09/17 14:58, Nick Lamb wrote: > > An attacker only has to _prefer_ one particular CA for any reason, > > > Yep, fair. > > Gerv Quite true. In the example scenario that I have just posted, such preference

Re: Audit Reminder Email Summary

2017-09-19 Thread Kathleen Wilson via dev-security-policy
Forwarded Message Subject: Summary of September 2017 Audit Reminder Emails Date: Tue, 19 Sep 2017 19:00:08 + (GMT) Mozilla: Overdue Audit Statements Root Certificates: Autoridad de Certificacion Firmaprofesional CIF A62634068 Standard Audit:

Re: Public trust of VISA's CA

2017-09-19 Thread Gervase Markham via dev-security-policy
On 19/09/17 16:27, Peter Bowen wrote: > I think your statement is a little broad. Every CA only issues > certificates to themselves and their own customers (or as the BRs call > them "Subscribers"). Yes, you are right. "Customers" was the wrong word. Perhaps I rather meant they only issue to

Re: FW: StartCom inclusion request: next steps

2017-09-19 Thread Gervase Markham via dev-security-policy
Hi Inigo, On 15/09/17 17:30, Inigo Barreira wrote: > There wasn´t a lack of integrity and monitoring, of course not. All PKI logs > were and are signed, it´s just the auditors wanted to add the integrity to > other systems which is not so clear that should have this enabled. For > example, if

Re: CAs not compliant with CAA CP/CPS requirement

2017-09-19 Thread Gervase Markham via dev-security-policy
On 15/09/17 09:38, richmoor...@gmail.com wrote: > I suspect many smaller CAs are non-compliant too, for example gandi's CPS > hasn't changed since 2009 according to its changelog. > > https://www.gandi.net/static/docs/en/gandi-certification-practice-statement.pdf Thank you for bringing this to

Re: CAA Certificate Problem Report

2017-09-19 Thread Gervase Markham via dev-security-policy
On 13/09/17 23:57, Matthew Hardeman wrote: > This is especially the case for CAA records, which have an explicit security > function: controlling, at a minimum, who may issue publicly trusted > certificates for a given FQDN. I'd be interested in your engagement on my brief threat modelling; it

Re: CAA Certificate Problem Report

2017-09-19 Thread Gervase Markham via dev-security-policy
Hi Nick, On 13/09/17 20:39, Nick Lamb wrote: > Gerv, rather than start by digging into the specific technical details, let > me ask a high level question. > > Suppose I have deployed DNSSEC for my domain tlrmx.org and I have a CAA > record saying to only permit the non-existent Gotham

Re: FW: StartCom inclusion request: next steps

2017-09-19 Thread Gervase Markham via dev-security-policy
Hi Franck, On 18/09/17 15:49, Franck Leroy wrote: > Our understanding in April was that as long as StartCom is not > allowed by Certinomis to issue EE certs, the disclosure was not > mandated immediately. I think that we need to establish a timeline of the exact events involved here. But I

Re: FW: StartCom inclusion request: next steps

2017-09-19 Thread Gervase Markham via dev-security-policy
On 15/09/17 15:35, Inigo Barreira wrote: > No, those weren´t tests. We allowed the use of curves permitted by the BRs > but this issue came up in the mozilla policy (I think Arkadiusz posted) and I > also asked about it in the last CABF F2F (I asked Ryan about it) and then, > with that outcome