Re: On the value of EV

2017-12-12 Thread Kristian Fiskerstrand via dev-security-policy
On 12/12/2017 12:21 AM, Hanno Böck via dev-security-policy wrote: > Hi, > > On Mon, 11 Dec 2017 11:01:10 -0800 (PST) > Ryan Sleevi via dev-security-policy > wrote: > >> I suppose this is both a question for policy and for Mozilla - given >> the ability to

Re: On the value of EV

2017-12-12 Thread Ryan Sleevi via dev-security-policy
On Tue, Dec 12, 2017 at 3:44 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > What you are writing below, with far too many words is that you think > that URLs are the only identities that matter in this world, and > therefore DV certificates are enough

Re: On the value of EV

2017-12-12 Thread Michael Pietsch via dev-security-policy
Would it be reasonable to have some sort of global database where the company names and other identifiers that can be displayed in UI will be stored including some sort of contact data? In the validation process for EV the CA could then be required to contact the companies with similar names

Re: CA generated keys

2017-12-12 Thread Jakob Bohm via dev-security-policy
On 12/12/2017 21:39, Wayne Thayer wrote: On Tue, Dec 12, 2017 at 7:45 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 12/12/2017 19:39, Wayne Thayer wrote: The outcome to be avoided is a CA that holds in escrow thousands of private keys used for TLS.

Re: CA generated keys

2017-12-12 Thread Wayne Thayer via dev-security-policy
On Tue, Dec 12, 2017 at 7:45 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 12/12/2017 19:39, Wayne Thayer wrote: > >> The outcome to be avoided is a CA that holds in escrow thousands of >> private keys used for TLS. I don’t think that a policy

Re: On the value of EV

2017-12-12 Thread Jakob Bohm via dev-security-policy
On 12/12/2017 20:04, Ryan Sleevi wrote: On Tue, Dec 12, 2017 at 1:11 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: The overall thing is that the current thread seems to be a major case of throwing the baby out with the bathwater. That is overly

Re: CA generated keys

2017-12-12 Thread Jakob Bohm via dev-security-policy
On 12/12/2017 19:39, Wayne Thayer wrote: On Mon, Dec 11, 2017 at 9:43 AM, Tim Hollebeek via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: I don't know but it's worth talking about. I think the discussion should be "when should this be allowed, and how can it be done

RE: CA generated keys

2017-12-12 Thread Tim Hollebeek via dev-security-policy
> A policy allowing CAs to generate key pairs should also include provisions > for: > - The CA must generate the key in accordance with technical best practices > - While in possession of the private key, the CA must store it securely Don't forget appropriate protection for the key while it is

Re: On the value of EV

2017-12-12 Thread Ryan Sleevi via dev-security-policy
On Tue, Dec 12, 2017 at 1:11 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > The overall thing is that the current thread seems to be a major case of > throwing the baby out with the bathwater. > That is overly reductive and may demonstrate a lack of

Re: CA generated keys

2017-12-12 Thread Wayne Thayer via dev-security-policy
On Mon, Dec 11, 2017 at 9:43 AM, Tim Hollebeek via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > I don't know but it's worth talking about. I think the discussion should > be > "when should this be allowed, and how can it be done securely?" > > The outcome to be avoided

Re: On the value of EV

2017-12-12 Thread Jakob Bohm via dev-security-policy
On 12/12/2017 18:31, Jonathan Rudenberg wrote: On Dec 12, 2017, at 08:36, Jakob Bohm via dev-security-policy wrote: A lot of people have posed suggestions for countermeasures so extreme they should not be taken seriously. This includes discontinuing

Re: On the value of EV

2017-12-12 Thread Jakob Bohm via dev-security-policy
On 12/12/2017 18:19, Ryan Sleevi wrote: On Tue, Dec 12, 2017 at 8:36 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 12/12/2017 01:08, Adam Caudill wrote: Even if it is, someone filed the paperwork. Court houses have clerks, guards, video cameras,

Re: On the value of EV

2017-12-12 Thread Jonathan Rudenberg via dev-security-policy
> On Dec 12, 2017, at 08:36, Jakob Bohm via dev-security-policy > wrote: > > A lot of people have posed suggestions for countermeasures so extreme > they should not be taken seriously. This includes discontinuing EV, I don’t think that removing the EV

Re: On the value of EV

2017-12-12 Thread Ryan Sleevi via dev-security-policy
On Tue, Dec 12, 2017 at 8:36 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 12/12/2017 01:08, Adam Caudill wrote: > >> Even if it is, someone filed the paperwork. Court houses have clerks, > guards, video cameras, etc... It still may present a

Re: Mississuance of EV Certificates

2017-12-12 Thread Ryan Sleevi via dev-security-policy
On Tue, Dec 12, 2017 at 10:18 AM, Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > > The implemented controls detected the misconfiguration within 24 > > hours. The incorrect configuration was nevertheless recorded as a > > security incident. The handling of

Re: On the value of EV

2017-12-12 Thread Nick Lamb via dev-security-policy
On Mon, 11 Dec 2017 19:08:43 -0500 Adam Caudill via dev-security-policy wrote: > I can say from my own experience, in some states in the US, it's a > trivial matter to create a company online, with no validation of > identity or other information. It takes

On the value of EV

2017-12-12 Thread Peter Bachman via dev-security-policy
I think this is fundamentally an issue of the history of the DNS and X.500 architecture. Combined with social factors since 1996 when the original NSF Directory and DNS grant money ran out, and domains (which had been free) became this wild west name space, which has reached some predictable

RE: On the value of EV

2017-12-12 Thread Tim Hollebeek via dev-security-policy
This is useful feedback. Thanks. -Tim -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+tim.hollebeek=digicert@lists.mozilla.org] On Behalf Of Jakob Bohm via dev-security-policy Sent: Tuesday, December 12, 2017 6:36 AM To:

Re: On the value of EV

2017-12-12 Thread Jakob Bohm via dev-security-policy
On 12/12/2017 01:08, Adam Caudill wrote: Even if it is, someone filed the paperwork. Court houses have clerks, guards, video cameras, etc... It still may present a real physical point from which to bootstrap an investigation. Court houses also have online systems. I think if you read both

Re: On the value of EV

2017-12-12 Thread scott.helme--- via dev-security-policy
I recently talked about [1] some of the many problems I see with EV certificates on my blog but looking at the tangible security benefits of EV they can already be matched, or will soon be matched, by DV certificates. Certificate Transparency will be required [2] for all certificates and not

Re: Mississuance of EV Certificates

2017-12-12 Thread cornelia.enke66--- via dev-security-policy
I have to correct one thing: 7) The implemented controls detected the misconfiguration, when we detectetd the misconfiguration the report was given within 24 hours. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Mississuance of EV Certificates

2017-12-12 Thread cornelia.enke--- via dev-security-policy
1)How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date. We became aware of the problem during an internal review of