Re: Mozilla RSA-PSS policy

2017-12-01 Thread Ryan Sleevi via dev-security-policy
On Fri, Dec 1, 2017 at 12:34 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 01/12/2017 17:06, Ryan Sleevi wrote: > >> On Fri, Dec 1, 2017 at 10:33 AM, Jakob Bohm via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >>> >>>

Re: Mozilla RSA-PSS policy

2017-12-01 Thread Ryan Sleevi via dev-security-policy
On Fri, Dec 1, 2017 at 11:20 AM, Hubert Kario wrote: > On Friday, 1 December 2017 17:11:56 CET Ryan Sleevi wrote: > > On Fri, Dec 1, 2017 at 10:23 AM, Hubert Kario wrote: > > > and fine for NSS too, if that changes don't have to be implemented in > next > >

Re: Swiss Government root inclusion request

2017-12-01 Thread Wayne Thayer via dev-security-policy
I've placed this discussion on hold pending: 1. Updated audit statement specifying the audit period. 2. Updated CP/CPS including CAA information, BR compliance statement, and clearer specification of the domain validation procedures that are in use. Wayne >On Tuesday, November 28, 2017 at

Re: Mozilla RSA-PSS policy

2017-12-01 Thread Jakob Bohm via dev-security-policy
On 01/12/2017 17:06, Ryan Sleevi wrote: On Fri, Dec 1, 2017 at 10:33 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: Depending on the prevalence of non-public CAs (not listed in public indexes) based on openssl (this would be a smallish company thing more

Re: Mozilla RSA-PSS policy

2017-12-01 Thread Hubert Kario via dev-security-policy
On Friday, 1 December 2017 17:11:56 CET Ryan Sleevi wrote: > On Fri, Dec 1, 2017 at 10:23 AM, Hubert Kario wrote: > > and fine for NSS too, if that changes don't have to be implemented in next > > month or two, but have to be implemented before NSS with final TLS 1.3 > >

Re: Mozilla RSA-PSS policy

2017-12-01 Thread Hubert Kario via dev-security-policy
On Friday, 1 December 2017 16:33:10 CET Jakob Bohm via dev-security-policy wrote: > On 01/12/2017 16:23, Hubert Kario wrote: > > On Friday, 1 December 2017 15:33:30 CET Ryan Sleevi wrote: > >> On Fri, Dec 1, 2017 at 7:34 AM, Hubert Kario wrote: > It does feel like again

Re: Mozilla RSA-PSS policy

2017-12-01 Thread Ryan Sleevi via dev-security-policy
On Fri, Dec 1, 2017 at 10:23 AM, Hubert Kario wrote: > > > - Windows and NSS both apply DER-like BER parsers and do not strictly > > reject (Postel's principle, despite Postel-was-wrong) > > NSS did till very recently reject them, OpenSSL 1.0.2 still rejects them > (probably

Re: Mozilla RSA-PSS policy

2017-12-01 Thread Ryan Sleevi via dev-security-policy
On Fri, Dec 1, 2017 at 10:33 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Depending on the prevalence of non-public CAs (not listed in public > indexes) based on openssl (this would be a smallish company thing more > than a big enterprise thing), it

Re: Mozilla RSA-PSS policy

2017-12-01 Thread Jakob Bohm via dev-security-policy
On 01/12/2017 16:23, Hubert Kario wrote: On Friday, 1 December 2017 15:33:30 CET Ryan Sleevi wrote: On Fri, Dec 1, 2017 at 7:34 AM, Hubert Kario wrote: It does feel like again the argument is The CA/EE should say 'I won't do X' so that a client won't accept a signature

Re: Mozilla RSA-PSS policy

2017-12-01 Thread Hubert Kario via dev-security-policy
On Friday, 1 December 2017 15:33:30 CET Ryan Sleevi wrote: > On Fri, Dec 1, 2017 at 7:34 AM, Hubert Kario wrote: > > > It does feel like again the argument is The CA/EE should say 'I won't do > > > > X' > > > > > so that a client won't accept a signature if the CA does X,

Re: Mozilla RSA-PSS policy

2017-12-01 Thread Ryan Sleevi via dev-security-policy
On Fri, Dec 1, 2017 at 7:34 AM, Hubert Kario wrote: > > It does feel like again the argument is The CA/EE should say 'I won't do > X' > > so that a client won't accept a signature if the CA does X, except it > > doesn't change the security properties at all if the CA/EE does

Re: Possible future re-application from WoSign (now WoTrus)

2017-12-01 Thread Peter Kurrasch via dev-security-policy
While it is to the benefit of everyone that Richard Wang and other employees at WoSign/WoTrus have learned valuable lessons ‎over the past year, it seems to me that far too much damage has been done for Mozilla

Re: Mozilla RSA-PSS policy

2017-12-01 Thread Hubert Kario via dev-security-policy
On Thursday, 30 November 2017 21:49:42 CET Ryan Sleevi wrote: > On Thu, Nov 30, 2017 at 3:23 PM, Hubert Kario wrote: > > On Thursday, 30 November 2017 18:46:12 CET Ryan Sleevi wrote: > > > On Thu, Nov 30, 2017 at 12:21 PM, Hubert Kario > > > > wrote: > > >

Re: Certigna Root Renewal Request

2017-12-01 Thread josselin.allemandou--- via dev-security-policy
Thank you very much for this analysis and the time past on our request. You will find below additional information following your comments --- > “CP and terms and conditions are publicly available in a read‐only manner. > The

Re: Anomalous Certificate Issuances based on historic CAA records

2017-12-01 Thread Gervase Markham via dev-security-policy
On 30/11/17 14:52, Ryan Sleevi wrote: > I think that, as CAA deployment becomes common, this pattern will be > not-uncommon. I would hope we don't sound false alarms when it does. After a little time (as it does seem some bugs are still being shaken out), I am considering having Mozilla adopt a